Role base security and RedirectUrl

Discussion in 'ASP .Net Security' started by RedHair, Oct 6, 2008.

  1. RedHair

    RedHair Guest

    I use the Form Authentication and Role base security to secure one ASP.NET
    3.5 appication.
    Below are security settings in web.config

    <location path="testAdmin.aspx">
    <system.web>
    <authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    If a anonymous user tries to access testAdmin.aspx then he/she will be
    redirected to login page
    based on the loginUrl setting of <authentication> element
    but if a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page, in this case, is it possible to
    redirect user to another page other
    than login page? via configuration.
    Or I need to add Context.User,IsInRoles("Admin") to each page?

    Thanks.
     
    RedHair, Oct 6, 2008
    #1
    1. Advertisements

  2. RedHair

    rote Guest

    RedHair
    I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
    If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

    You stated:
    .. a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page

    But thats what its suppose to do.

    If you want more control you can switch to Windows Auth and do the authorization in your code.
    Then in code use User,IsInRoles("Admin")
    Look at this samples by Scott:
    http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    Hope that helps
    Patrick


    "RedHair" <> wrote in message news:OPIDQl$...
    >I use the Form Authentication and Role base security to secure one ASP.NET
    > 3.5 appication.
    > Below are security settings in web.config
    >
    > <location path="testAdmin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > If a anonymous user tries to access testAdmin.aspx then he/she will be
    > redirected to login page
    > based on the loginUrl setting of <authentication> element
    > but if a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page, in this case, is it possible to
    > redirect user to another page other
    > than login page? via configuration.
    > Or I need to add Context.User,IsInRoles("Admin") to each page?
    >
    > Thanks.
    >
    >
    >
     
    rote, Oct 7, 2008
    #2
    1. Advertisements

  3. RedHair

    RedHair Guest

    Thanks.
    I hope there is a way to tell user in login page that why he/she be
    redirected to login page, because his role or he is anonymous.

    if it's due to role security setting, the user will be redirected to login
    page again and again without any information because he has a
    valid account


    "rote" <> wrote in message
    news:OAi%...
    RedHair
    I think the setting you provided is doing the right thing as only people
    with the Admin roles can get to the page.
    If you are using Forms auth then u can changed the property loginurl to
    suit your need (to a different page)

    You stated:
    .. a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page

    But thats what its suppose to do.

    If you want more control you can switch to Windows Auth and do the
    authorization in your code.
    Then in code use User,IsInRoles("Admin")
    Look at this samples by Scott:
    http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    Hope that helps
    Patrick


    "RedHair" <> wrote in message
    news:OPIDQl$...
    >I use the Form Authentication and Role base security to secure one ASP.NET
    > 3.5 appication.
    > Below are security settings in web.config
    >
    > <location path="testAdmin.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > If a anonymous user tries to access testAdmin.aspx then he/she will be
    > redirected to login page
    > based on the loginUrl setting of <authentication> element
    > but if a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page, in this case, is it possible to
    > redirect user to another page other
    > than login page? via configuration.
    > Or I need to add Context.User,IsInRoles("Admin") to each page?
    >
    > Thanks.
    >
    >
    >
     
    RedHair, Oct 7, 2008
    #3
  4. RedHair

    Joe Kaplan Guest

    As I recall, there is a way to detect that the forms auth has redirected you
    to the logon page in the EndRequest event (in global.asax) and to change
    that show a different page instead of doing a redirect. You would need to
    execute the logic to test to see if the user is authenticated first as you
    need to ensure that the user is being redirected as authenticated but not
    authorized as opposed to just "authenticated".

    I think if you do some searches you'll find some samples of how to achieve
    this. It is a bit of a pain that the built in system isn't a little more
    flexible with this.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "RedHair" <> wrote in message
    news:...
    > Thanks.
    > I hope there is a way to tell user in login page that why he/she be
    > redirected to login page, because his role or he is anonymous.
    >
    > if it's due to role security setting, the user will be redirected to login
    > page again and again without any information because he has a
    > valid account
    >
    >
    > "rote" <> wrote in message
    > news:OAi%...
    > RedHair
    > I think the setting you provided is doing the right thing as only people
    > with the Admin roles can get to the page.
    > If you are using Forms auth then u can changed the property loginurl to
    > suit your need (to a different page)
    >
    > You stated:
    > . a logoned user whose role is not "Admin" tries access the
    > testAdmin.aspx page, the system
    > still redirect him/her to login page
    >
    > But thats what its suppose to do.
    >
    > If you want more control you can switch to Windows Auth and do the
    > authorization in your code.
    > Then in code use User,IsInRoles("Admin")
    > Look at this samples by Scott:
    > http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
    > Hope that helps
    > Patrick
    >
    >
    > "RedHair" <> wrote in message
    > news:OPIDQl$...
    >>I use the Form Authentication and Role base security to secure one ASP.NET
    >> 3.5 appication.
    >> Below are security settings in web.config
    >>
    >> <location path="testAdmin.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow roles="Admin"/>
    >> <deny users="*"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >>
    >> If a anonymous user tries to access testAdmin.aspx then he/she will be
    >> redirected to login page
    >> based on the loginUrl setting of <authentication> element
    >> but if a logoned user whose role is not "Admin" tries access the
    >> testAdmin.aspx page, the system
    >> still redirect him/her to login page, in this case, is it possible to
    >> redirect user to another page other
    >> than login page? via configuration.
    >> Or I need to add Context.User,IsInRoles("Admin") to each page?
    >>
    >> Thanks.
    >>
    >>
    >>

    >
    >
     
    Joe Kaplan, Oct 7, 2008
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,679
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    669
    Liet Kynes
    Nov 26, 2003
  3. Replies:
    4
    Views:
    5,767
    Patrick Olurotimi Ige
    Mar 1, 2005
  4. =?Utf-8?B?ZGF2aWQ=?=

    role based security and

    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    589
    =?Utf-8?B?ZGF2aWQ=?=
    Apr 15, 2005
  5. Water Cooler v2

    Custom redirectURL

    Water Cooler v2, Aug 28, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    776
    Juan T. Llibre
    Aug 28, 2005
  6. Philipp Lenz
    Replies:
    1
    Views:
    515
    =?Utf-8?B?T2xkbWFu?=
    Dec 2, 2005
  7. RedHair

    Role base security and RedirectUrl

    RedHair, Oct 6, 2008, in forum: ASP .Net
    Replies:
    3
    Views:
    569
    Joe Kaplan
    Oct 7, 2008
  8. Kursat
    Replies:
    1
    Views:
    493
    Dominick Baier
    May 7, 2007
Loading...