Roles based Forms Auth - denied pages redirect

Discussion in 'ASP .Net Security' started by Shaun, Jul 19, 2004.

  1. Shaun

    Shaun Guest

    I would like to know how, if at all possible, a custom redirect page can be setup for when a users role(s) are denied to a page.
    The default behaviour seems to be back to the default/login page but I need to tell the user that they are not allowed the access the requested.
    The site in question in basically just html pages pages that have no code in them, so I cannot use page behind code. I also set permissions to various parts of the site using web.config files and cannot hard-code checking in the pages as this may change.

    This is my second attemt to find out.

    For now I am finding the next 'upstream' web.config in an httpmodule and checking the users roles against those int he web.config.
    This is far from ideal - surely forms auth should handle this so I do not have to write such code and lookup web.config files for each request (I know these could be cached, but still not ideal).

    Thanks in advance ......


    --------------------------
    Shaun Venus

    emailid: sunevnuahs
    domain: hotmail.com
    --------------------------
     
    Shaun, Jul 19, 2004
    #1
    1. Advertising

  2. Shaun,

    Are you trying to do something along the lines of a customErrors page for a
    401? If so, that's not possible.

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >Thread-Topic: Roles based Forms Auth - denied pages redirect
    >thread-index: AcRtb54WpJXf4HAUTji/o69pj74rmw==
    >X-WBNR-Posting-Host: 194.205.4.1
    >From: "=?Utf-8?B?U2hhdW4=?=" <>
    >Subject: Roles based Forms Auth - denied pages redirect
    >Date: Mon, 19 Jul 2004 02:06:03 -0700
    >Lines: 18
    >Message-ID: <>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:10854
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I would like to know how, if at all possible, a custom redirect page can

    be setup for when a users role(s) are denied to a page.
    >The default behaviour seems to be back to the default/login page but I

    need to tell the user that they are not allowed the access the requested.
    >The site in question in basically just html pages pages that have no code

    in them, so I cannot use page behind code. I also set permissions to
    various parts of the site using web.config files and cannot hard-code
    checking in the pages as this may change.
    >
    >This is my second attemt to find out.
    >
    >For now I am finding the next 'upstream' web.config in an httpmodule and

    checking the users roles against those int he web.config.
    >This is far from ideal - surely forms auth should handle this so I do not

    have to write such code and lookup web.config files for each request (I
    know these could be cached, but still not ideal).
    >
    >Thanks in advance ......
    >
    >
    >--------------------------
    >Shaun Venus
    >
    >emailid: sunevnuahs
    >domain: hotmail.com
    >--------------------------
    >
     
    Jim Cheshire [MSFT], Jul 19, 2004
    #2
    1. Advertising

  3. Shaun

    Shaun Guest

    Jim,

    Thanks for getting back to me. Here's what I have done so far .....

    I have a site with many different content areas that users can subscribe to. Each of these areas (in its own folder) has a web.config to specify the roles allowed access, the user belongs to the roles allowed for the subscribed areas.

    As I could not find a way to do the custom error page I have used the usual code in global.asax to retrieve the roles that were stored in the UserData of the AuthenticationTicket at login.
    Then an HttpModule is used to to look back up the path of the request and find the nearest upstream web.config from which the roles are extracting using an XPath query. From these I can find out if the user is allowed access to the content.
    Obviously this is not ideal as there is lots of IO in finding the web.config file. I am caching them and working on a way of parsing the requests path to reduce the IO further.

    If this is the only way to go then I will continue down this path. Just a shame that the 'deny' from the web.config cannot be used to trigger a redirect to a custom page - from which I could tell the user they are not subscribed to that content area etc.

    Thanks again for your time,

    Shaun


    --------------------------
    Shaun Venus

    emailid: sunevnuahs
    domain: hotmail.com
    --------------------------


    "Jim Cheshire [MSFT]" wrote:

    > Shaun,
    >
    > Are you trying to do something along the lines of a customErrors page for a
    > 401? If so, that's not possible.
    >
    > Jim Cheshire [MSFT]
    > MCP+I, MCSE, MCSD, MCDBA
    > Microsoft Developer Support
    >
    >
    > This post is provided "AS-IS" with no warranties and confers no rights.
    >
    > --------------------
    > >Thread-Topic: Roles based Forms Auth - denied pages redirect
    > >thread-index: AcRtb54WpJXf4HAUTji/o69pj74rmw==
    > >X-WBNR-Posting-Host: 194.205.4.1
    > >From: "=?Utf-8?B?U2hhdW4=?=" <>
    > >Subject: Roles based Forms Auth - denied pages redirect
    > >Date: Mon, 19 Jul 2004 02:06:03 -0700
    > >Lines: 18
    > >Message-ID: <>
    > >MIME-Version: 1.0
    > >Content-Type: text/plain;
    > > charset="Utf-8"
    > >Content-Transfer-Encoding: 7bit
    > >X-Newsreader: Microsoft CDO for Windows 2000
    > >Content-Class: urn:content-classes:message
    > >Importance: normal
    > >Priority: normal
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:10854
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >I would like to know how, if at all possible, a custom redirect page can

    > be setup for when a users role(s) are denied to a page.
    > >The default behaviour seems to be back to the default/login page but I

    > need to tell the user that they are not allowed the access the requested.
    > >The site in question in basically just html pages pages that have no code

    > in them, so I cannot use page behind code. I also set permissions to
    > various parts of the site using web.config files and cannot hard-code
    > checking in the pages as this may change.
    > >
    > >This is my second attemt to find out.
    > >
    > >For now I am finding the next 'upstream' web.config in an httpmodule and

    > checking the users roles against those int he web.config.
    > >This is far from ideal - surely forms auth should handle this so I do not

    > have to write such code and lookup web.config files for each request (I
    > know these could be cached, but still not ideal).
    > >
    > >Thanks in advance ......
    > >
    > >
    > >--------------------------
    > >Shaun Venus
    > >
    > >emailid: sunevnuahs
    > >domain: hotmail.com
    > >--------------------------
    > >

    >
    >
     
    Shaun, Jul 21, 2004
    #3
  4. Hi Shaun,

    The fact that you are doing this successfully with an HttpModule confirms a
    post that I just made in another thread. I wasn't sure if it was possible,
    but figured that an HttpModule would be the only possible way.

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >Thread-Topic: Roles based Forms Auth - denied pages redirect
    >thread-index: AcRvAfKA88UipZTAQUOeq6ZPy9Ei4A==
    >X-WBNR-Posting-Host: 194.205.4.1
    >From: "=?Utf-8?B?U2hhdW4=?=" <>
    >References: <>

    <>
    >Subject: RE: Roles based Forms Auth - denied pages redirect
    >Date: Wed, 21 Jul 2004 02:06:02 -0700
    >Lines: 93
    >Message-ID: <>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:10889
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Jim,
    >
    >Thanks for getting back to me. Here's what I have done so far .....
    >
    >I have a site with many different content areas that users can subscribe

    to. Each of these areas (in its own folder) has a web.config to specify
    the roles allowed access, the user belongs to the roles allowed for the
    subscribed areas.
    >
    >As I could not find a way to do the custom error page I have used the

    usual code in global.asax to retrieve the roles that were stored in the
    UserData of the AuthenticationTicket at login.
    >Then an HttpModule is used to to look back up the path of the request and

    find the nearest upstream web.config from which the roles are extracting
    using an XPath query. From these I can find out if the user is allowed
    access to the content.
    >Obviously this is not ideal as there is lots of IO in finding the

    web.config file. I am caching them and working on a way of parsing the
    requests path to reduce the IO further.
    >
    >If this is the only way to go then I will continue down this path. Just a

    shame that the 'deny' from the web.config cannot be used to trigger a
    redirect to a custom page - from which I could tell the user they are not
    subscribed to that content area etc.
    >
    >Thanks again for your time,
    >
    >Shaun
    >
    >
    >--------------------------
    >Shaun Venus
    >
    >emailid: sunevnuahs
    >domain: hotmail.com
    >--------------------------
    >
    >
    >"Jim Cheshire [MSFT]" wrote:
    >
    >> Shaun,
    >>
    >> Are you trying to do something along the lines of a customErrors page

    for a
    >> 401? If so, that's not possible.
    >>
    >> Jim Cheshire [MSFT]
    >> MCP+I, MCSE, MCSD, MCDBA
    >> Microsoft Developer Support
    >>
    >>
    >> This post is provided "AS-IS" with no warranties and confers no rights.
    >>
    >> --------------------
    >> >Thread-Topic: Roles based Forms Auth - denied pages redirect
    >> >thread-index: AcRtb54WpJXf4HAUTji/o69pj74rmw==
    >> >X-WBNR-Posting-Host: 194.205.4.1
    >> >From: "=?Utf-8?B?U2hhdW4=?=" <>
    >> >Subject: Roles based Forms Auth - denied pages redirect
    >> >Date: Mon, 19 Jul 2004 02:06:03 -0700
    >> >Lines: 18
    >> >Message-ID: <>
    >> >MIME-Version: 1.0
    >> >Content-Type: text/plain;
    >> > charset="Utf-8"
    >> >Content-Transfer-Encoding: 7bit
    >> >X-Newsreader: Microsoft CDO for Windows 2000
    >> >Content-Class: urn:content-classes:message
    >> >Importance: normal
    >> >Priority: normal
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
    >> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl

    >> microsoft.public.dotnet.framework.aspnet.security:10854
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> >
    >> >I would like to know how, if at all possible, a custom redirect page

    can
    >> be setup for when a users role(s) are denied to a page.
    >> >The default behaviour seems to be back to the default/login page but I

    >> need to tell the user that they are not allowed the access the requested.
    >> >The site in question in basically just html pages pages that have no

    code
    >> in them, so I cannot use page behind code. I also set permissions to
    >> various parts of the site using web.config files and cannot hard-code
    >> checking in the pages as this may change.
    >> >
    >> >This is my second attemt to find out.
    >> >
    >> >For now I am finding the next 'upstream' web.config in an httpmodule

    and
    >> checking the users roles against those int he web.config.
    >> >This is far from ideal - surely forms auth should handle this so I do

    not
    >> have to write such code and lookup web.config files for each request (I
    >> know these could be cached, but still not ideal).
    >> >
    >> >Thanks in advance ......
    >> >
    >> >
    >> >--------------------------
    >> >Shaun Venus
    >> >
    >> >emailid: sunevnuahs
    >> >domain: hotmail.com
    >> >--------------------------
    >> >

    >>
    >>

    >
     
    Jim Cheshire [MSFT], Jul 21, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    725
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    592
    Elton Wang
    Jan 8, 2005
  3. Brad
    Replies:
    6
    Views:
    142
  4. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    457
    Chris Mohan
    Apr 29, 2004
  5. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    234
    Hernan de Lahitte
    May 3, 2005
Loading...

Share This Page