Role base security and RedirectUrl

Discussion in 'ASP .Net Security' started by RedHair, Oct 6, 2008.

  1. RedHair

    RedHair Guest

    I use the Form Authentication and Role base security to secure one ASP.NET
    3.5 appication.
    Below are security settings in web.config

    <location path="testAdmin.aspx">
    <system.web>
    <authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    If a anonymous user tries to access testAdmin.aspx then he/she will be
    redirected to login page
    based on the loginUrl setting of <authentication> element
    but if a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page, in this case, is it possible to
    redirect user to another page other
    than login page? via configuration.
    Or I need to add Context.User,IsInRoles("Admin") to each page?

    Thanks.
     
    RedHair, Oct 6, 2008
    #1
    1. Advertising

  2. RedHair

    rote Guest

    RedHair
    I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
    If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

    You stated:
    .. a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page

    But thats what its suppose to do.

    If you want more control you can switch to Windows Auth and do the authorization in your code.
    Then in code use User,IsInRoles("Admin")
    Look at this samples by Scott:
    http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    Hope that helps
    Patrick


    "RedHair" <> wrote in message news:OPIDQl$...
    >I use the Form Authentication and Role base security to secure one ASP.NET
    > 3.5 appication.
    > Below are security settings in web.config
    >
    > <location path="testAdmin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > If a anonymous user tries to access testAdmin.aspx then he/she will be
    > redirected to login page
    > based on the loginUrl setting of <authentication> element
    > but if a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page, in this case, is it possible to
    > redirect user to another page other
    > than login page? via configuration.
    > Or I need to add Context.User,IsInRoles("Admin") to each page?
    >
    > Thanks.
    >
    >
    >
     
    rote, Oct 7, 2008
    #2
    1. Advertising

  3. RedHair

    RedHair Guest

    Thanks.
    I hope there is a way to tell user in login page that why he/she be
    redirected to login page, because his role or he is anonymous.

    if it's due to role security setting, the user will be redirected to login
    page again and again without any information because he has a
    valid account


    "rote" <> wrote in message
    news:OAi%...
    RedHair
    I think the setting you provided is doing the right thing as only people
    with the Admin roles can get to the page.
    If you are using Forms auth then u can changed the property loginurl to
    suit your need (to a different page)

    You stated:
    .. a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page

    But thats what its suppose to do.

    If you want more control you can switch to Windows Auth and do the
    authorization in your code.
    Then in code use User,IsInRoles("Admin")
    Look at this samples by Scott:
    http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    Hope that helps
    Patrick


    "RedHair" <> wrote in message
    news:OPIDQl$...
    >I use the Form Authentication and Role base security to secure one ASP.NET
    > 3.5 appication.
    > Below are security settings in web.config
    >
    > <location path="testAdmin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > If a anonymous user tries to access testAdmin.aspx then he/she will be
    > redirected to login page
    > based on the loginUrl setting of <authentication> element
    > but if a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page, in this case, is it possible to
    > redirect user to another page other
    > than login page? via configuration.
    > Or I need to add Context.User,IsInRoles("Admin") to each page?
    >
    > Thanks.
    >
    >
    >
     
    RedHair, Oct 7, 2008
    #3
  4. RedHair

    Joe Kaplan Guest

    As I recall, there is a way to detect that the forms auth has redirected you
    to the logon page in the EndRequest event (in global.asax) and to change
    that show a different page instead of doing a redirect. You would need to
    execute the logic to test to see if the user is authenticated first as you
    need to ensure that the user is being redirected as authenticated but not
    authorized as opposed to just "authenticated".

    I think if you do some searches you'll find some samples of how to achieve
    this. It is a bit of a pain that the built in system isn't a little more
    flexible with this.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "RedHair" <> wrote in message
    news:...
    > Thanks.
    > I hope there is a way to tell user in login page that why he/she be
    > redirected to login page, because his role or he is anonymous.
    >
    > if it's due to role security setting, the user will be redirected to login
    > page again and again without any information because he has a
    > valid account
    >
    >
    > "rote" <> wrote in message
    > news:OAi%...
    > RedHair
    > I think the setting you provided is doing the right thing as only people
    > with the Admin roles can get to the page.
    > If you are using Forms auth then u can changed the property loginurl to
    > suit your need (to a different page)
    >
    > You stated:
    > . a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page
    >
    > But thats what its suppose to do.
    >
    > If you want more control you can switch to Windows Auth and do the
    > authorization in your code.
    > Then in code use User,IsInRoles("Admin")
    > Look at this samples by Scott:
    > http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    > Hope that helps
    > Patrick
    >
    >
    > "RedHair" <> wrote in message
    > news:OPIDQl$...
    >>I use the Form Authentication and Role base security to secure one ASP.NET
    >> 3.5 appication.
    >> Below are security settings in web.config
    >>
    >> <location path="testAdmin.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow roles="Admin"/>
    >> <deny users="*"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >>
    >> If a anonymous user tries to access testAdmin.aspx then he/she will be
    >> redirected to login page
    >> based on the loginUrl setting of <authentication> element
    >> but if a logoned user whose role is not "Admin" tries access the
    >> testAdmin.aspx page, the system
    >> still redirect him/her to login page, in this case, is it possible to
    >> redirect user to another page other
    >> than login page? via configuration.
    >> Or I need to add Context.User,IsInRoles("Admin") to each page?
    >>
    >> Thanks.
    >>
    >>
    >>

    >
    >
     
    Joe Kaplan, Oct 7, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,235
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    533
    Liet Kynes
    Nov 26, 2003
  3. Replies:
    4
    Views:
    5,543
    Patrick Olurotimi Ige
    Mar 1, 2005
  4. RedHair

    Role base security and RedirectUrl

    RedHair, Oct 6, 2008, in forum: ASP .Net
    Replies:
    3
    Views:
    429
    Joe Kaplan
    Oct 7, 2008
  5. Kursat
    Replies:
    1
    Views:
    339
    Dominick Baier
    May 7, 2007
Loading...

Share This Page