G
gilly3
How do I use a Custom Error page for 401 - Authorization Failed errors?
I tried the web.config method:
<customErrors mode="On" defaultRedirect="/GeneralError.aspx">
<error statusCode="401" redirect="/AccessDenied.aspx" />
</customErrors>
My application uses Windows Integrated Authentication, and restricts
access to a single Windows User Group like this (in web.config):
<authorization>
<allow roles="Domain\UserGroup" />
<deny users="*" />
</authorization>
That didn't work - I was presented with a logon box where I entered my
username and password 4 times. I was then taken to the ASP.NET default
401 error page. Note that it was NOT the page specified in IIS for my
website, nor was it the page specified in the web.config.
I hypothesized that perhaps first the authorization failed on the
requested page, so it redirected to AccessDenied.aspx and then
authorization failed on that page as well. So I debugged it and watched
Request.FilePath and AccessDenied.aspx was never called.
Just to be sure, I changed the redirect to an html page,
AccessDenied.htm. There was no change in behavior.
My workaround:
I got rid of the web.config authorization stuff and I put this in
Global.asax.cs:
void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String AuthURL = "/AccessDenied.aspx";
if (!User.IsInRole("Domain\UserGroup")
&& Request.FilePath != AuthURL)
{
Server.Transfer(AuthURL);
}
}
Well, that works a treat, but what a hack! Isn't this what the
web.config settings should be doing anyway? Is there a better way of
doing it?
thanks
-ivan.
I tried the web.config method:
<customErrors mode="On" defaultRedirect="/GeneralError.aspx">
<error statusCode="401" redirect="/AccessDenied.aspx" />
</customErrors>
My application uses Windows Integrated Authentication, and restricts
access to a single Windows User Group like this (in web.config):
<authorization>
<allow roles="Domain\UserGroup" />
<deny users="*" />
</authorization>
That didn't work - I was presented with a logon box where I entered my
username and password 4 times. I was then taken to the ASP.NET default
401 error page. Note that it was NOT the page specified in IIS for my
website, nor was it the page specified in the web.config.
I hypothesized that perhaps first the authorization failed on the
requested page, so it redirected to AccessDenied.aspx and then
authorization failed on that page as well. So I debugged it and watched
Request.FilePath and AccessDenied.aspx was never called.
Just to be sure, I changed the redirect to an html page,
AccessDenied.htm. There was no change in behavior.
My workaround:
I got rid of the web.config authorization stuff and I put this in
Global.asax.cs:
void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String AuthURL = "/AccessDenied.aspx";
if (!User.IsInRole("Domain\UserGroup")
&& Request.FilePath != AuthURL)
{
Server.Transfer(AuthURL);
}
}
Well, that works a treat, but what a hack! Isn't this what the
web.config settings should be doing anyway? Is there a better way of
doing it?
thanks
-ivan.