Can I force 401 error when user not authenticated?

B

Bigtoga

Currently I have succesfully implemented role-based folder security using
roles and web.config in each folder. This works great - if a user is not
authenticated or a member of an allowed role, that user cannot access the
resource (woohoo!). When the disallowed user tries to access the resource,
it redirects them to a login page.

What I want is that, when an unauthorized user tries to access a secure
resource, I want it to raise a 401 error (which would then call my 401
customer error page).

Can I do this?

In my web.config for the application, I have:

<forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>

If the user fails, it auto-redirects to login.aspx.



I tried this:

<forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->

And rebuilt then restarted the webserver - same thing.



How can I set it up so that unathorized requests raise a 403 error? i have
this in web.config as well...

<customErrors mode="On" defaultRedirect="/errors/404.aspx">

<error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
Request)-->

<error statusCode="401" redirect="/errors/401.aspx"/><!--401
(Unauthorized)-->

<error statusCode="403" redirect="/errors/403.aspx"/><!--403 (Forbidden)-->

<error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not Found)-->

<error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
Server Error)-->

</customErrors>
 
K

Ken Schaefer

Hi

When using forms authentication, you are never sending back a 403 header.
You are just redirecting the user to another ASP.NET page. A 403 header
forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest etc).

Forms auth never involves these HTTP status codes - all pages are 200 OK. It
is at the application layer (of your ASP.NET app) that you enforce
authentication, not at the lower HTTP level.

Cheers
Ken


: Currently I have succesfully implemented role-based folder security using
: roles and web.config in each folder. This works great - if a user is not
: authenticated or a member of an allowed role, that user cannot access the
: resource (woohoo!). When the disallowed user tries to access the resource,
: it redirects them to a login page.
:
: What I want is that, when an unauthorized user tries to access a secure
: resource, I want it to raise a 401 error (which would then call my 401
: customer error page).
:
: Can I do this?
:
: In my web.config for the application, I have:
:
: <forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>
:
: If the user fails, it auto-redirects to login.aspx.
:
:
:
: I tried this:
:
: <forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->
:
: And rebuilt then restarted the webserver - same thing.
:
:
:
: How can I set it up so that unathorized requests raise a 403 error? i have
: this in web.config as well...
:
: <customErrors mode="On" defaultRedirect="/errors/404.aspx">
:
: <error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
: Request)-->
:
: <error statusCode="401" redirect="/errors/401.aspx"/><!--401
: (Unauthorized)-->
:
: <error statusCode="403" redirect="/errors/403.aspx"/><!--403
(Forbidden)-->
:
: <error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not
Found)-->
:
: <error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
: Server Error)-->
:
: </customErrors>
:
:
 
B

Bigtoga

Excellent info - thanks very much.

So, if I have a page/section that requies authentication and a user who is
not authenticated tries to visit, can I redirect to a different page than
the loginUrl specified inweb.config?

Essentially, I'm using
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<allow roles="SuperPeople"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>

in my web.config file for each "secure" drectory. If the user is already
logged in but doesn't belong to the SuperPeople role, it sends them to the
login page (but they've already logged in).

Any ideas would be helpful
 
K

Ken Schaefer

Hi,

What type of authentication are you talking about? If you are talking about
HTTP Authentication, you can't (as a general rule [1]) do this with a form.
Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the webserver
and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track of
users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
via a form. Whether this also works with ASP.NET I don't know, and it's not
an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.


: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user who is
: not authenticated tries to visit, can I redirect to a different page than
: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to the
: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: : > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403 header
: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:
 
B

Bigtoga

Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
just for clarity, is:

<allow users="*"> for full site

"/specialAccessOnly/" - <allow roles="Special">
"/authenticated/" - <allow roles="Special, Auth">

As you can see, the "Special" role has more perms than the "Auth" role.

Here's the issue:
** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
will get redirected to the page specified in loginUrl (but they are actually
already logged in).

What I'm trying to do (if not possible, just say "Not possible" and I'll be
happy and quit looking!):
** Instead of redirecting back to the loginUrl, I'd like to redirect to a
page that says they don't have access to reach this page (simluating a 401
error with a customError).

I only want to use Forms Auth on this; like I said, if what I want can't be
done, then that's okay too!

Thanks for the responses :)

PS - I could do this, I think, in the loginUrl page by using
if ( Request.Params["ReturnURL"] != null)

// my code to put Unauthorized Access message here


Ken Schaefer said:
Hi,

What type of authentication are you talking about? If you are talking about
HTTP Authentication, you can't (as a general rule [1]) do this with a form.
Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the webserver
and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track of
users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
via a form. Whether this also works with ASP.NET I don't know, and it's not
an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.


: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user who is
: not authenticated tries to visit, can I redirect to a different page than
: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to the
: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: : > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403 header
: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:
 
B

Bigtoga

in my page specified in the loginUrl, I use:

if ( Request.Params["ReturnURL"] != null)
// code to write message, redirect, etc

this is the easiest solution, I suppose. It does what I need.

Thanks for the help but, if anyone has any further ideas, please post
 
J

Joseph E Shook [MVP - ADSI]

Not possible?... This is .NET. I think what you want is the same kind
of functionality you get from windows role based authorization. Meaning
even if you have authenticated already and received your token with
group membership info, a subsequent visit to a page with authorization
requirements not meeting your token contents you are presented with a
authentication dialog. At that point you either login again hoping to
get an updated token with new group added or you just change to a
different user to get access to that more secure content.

So if you want to get that going with forms based authentication then
you need a way to redirect when a authorization attempt fails post
successful authentication.

The following code will help: You could be more creative and write your
own HttpModule but this works for me. I haven't put a whole lot of time
behind it but I am sure it is the ingredient you are looking for.

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)

If
Server.GetLastError().GetType().Equals(GetType(System.Security.SecurityException))
Then
Response.Redirect("login.aspx?ReturnUrl=" &
HttpUtility.UrlEncode(Context.Request.Url.PathAndQuery,
Context.Request.ContentEncoding))
End If

End Sub


Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
just for clarity, is:

<allow users="*"> for full site

"/specialAccessOnly/" - <allow roles="Special">
"/authenticated/" - <allow roles="Special, Auth">

As you can see, the "Special" role has more perms than the "Auth" role.

Here's the issue:
** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
will get redirected to the page specified in loginUrl (but they are actually
already logged in).

What I'm trying to do (if not possible, just say "Not possible" and I'll be
happy and quit looking!):
** Instead of redirecting back to the loginUrl, I'd like to redirect to a
page that says they don't have access to reach this page (simluating a 401
error with a customError).

I only want to use Forms Auth on this; like I said, if what I want can't be
done, then that's okay too!

Thanks for the responses :)

PS - I could do this, I think, in the loginUrl page by using
if ( Request.Params["ReturnURL"] != null)

// my code to put Unauthorized Access message here


Hi,

What type of authentication are you talking about? If you are talking
about

HTTP Authentication, you can't (as a general rule [1]) do this with a
form.

Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the
webserver

and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track
of

users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
auth

via a form. Whether this also works with ASP.NET I don't know, and it's
not

an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.


: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user who
is

: not authenticated tries to visit, can I redirect to a different page
than

: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to
the

: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: : > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403
header

: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:
 
B

Bigtoga

Thanks - while your code would work, I went the easy way out in my other
post:

in my page specified in the loginUrl, I use:

if ( Request.Params["ReturnURL"] != null)
// code to write message, redirect, etc

this is the easiest solution, I suppose. It does what I need.

Are you suggesting there are other problems with my method that I'm not
aware of? I'd certainly like to know if my method would cause
errors/elevated-access...


Joseph E Shook said:
Not possible?... This is .NET. I think what you want is the same kind
of functionality you get from windows role based authorization. Meaning
even if you have authenticated already and received your token with
group membership info, a subsequent visit to a page with authorization
requirements not meeting your token contents you are presented with a
authentication dialog. At that point you either login again hoping to
get an updated token with new group added or you just change to a
different user to get access to that more secure content.

So if you want to get that going with forms based authentication then
you need a way to redirect when a authorization attempt fails post
successful authentication.

The following code will help: You could be more creative and write your
own HttpModule but this works for me. I haven't put a whole lot of time
behind it but I am sure it is the ingredient you are looking for.

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)

If
Server.GetLastError().GetType().Equals(GetType(System.Security.SecurityExcep
tion))
Then
Response.Redirect("login.aspx?ReturnUrl=" &
HttpUtility.UrlEncode(Context.Request.Url.PathAndQuery,
Context.Request.ContentEncoding))
End If

End Sub


Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
just for clarity, is:

<allow users="*"> for full site

"/specialAccessOnly/" - <allow roles="Special">
"/authenticated/" - <allow roles="Special, Auth">

As you can see, the "Special" role has more perms than the "Auth" role.

Here's the issue:
** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
will get redirected to the page specified in loginUrl (but they are actually
already logged in).

What I'm trying to do (if not possible, just say "Not possible" and I'll be
happy and quit looking!):
** Instead of redirecting back to the loginUrl, I'd like to redirect to a
page that says they don't have access to reach this page (simluating a 401
error with a customError).

I only want to use Forms Auth on this; like I said, if what I want can't be
done, then that's okay too!

Thanks for the responses :)

PS - I could do this, I think, in the loginUrl page by using
if ( Request.Params["ReturnURL"] != null)

// my code to put Unauthorized Access message here


Hi,

What type of authentication are you talking about? If you are talking
about

HTTP Authentication, you can't (as a general rule [1]) do this with a
form.

Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the
webserver

and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps
track

of
users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
auth

via a form. Whether this also works with ASP.NET I don't know, and it's
not

an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.


: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user
who

is
: not authenticated tries to visit, can I redirect to a different page
than

: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to
the

: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: : > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403
header

: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:
 
T

tafs7

What you can do, is this:

on your Login page, check if the request is authenticated, and if so,
that means the user has already logged in but didn't have the correct
permission to access the resource, so he/she got bumped back to the
login.

thus....login.aspx:

private void Page_Load(object sender, EventArgs e)
{
if(Request.IsAuthenticated)
{
//the user has already logged in, but
//did not have the rights to the requested resource
//so let's redirect to our custom 403 page
// and let him/her know that access was denied!

Response.Redirect("my403.aspx", true)
}
else
{
//do my regular page load stuff here
}
}

Hope this helps you.

And while I am at it....I just put a post with a question on
role-based authentication/authorization, but no replies...so here it
is, and if you have any suggestions I'd appreciate it!

I have an ASP.NET application that uses forms authentication. I
rolled my own CustomPrincipal class for role-based authentication, and
wired the Application_AuthenticateRequest() event on my global.asax.
All is working great.

Now my new requirement is that I make a role on my SQLServer db that
is a "low level" user. This role will only have access to ONE
specific folder on my application, and nothing else outside of it.
Other roles can access other folders including this one. I should
also note that there is no anonymous access on this application.
Everything is password protected, so when the first request fires, the
user is automatically redirected to the login page, then, once
authenticated, he/she is taken to the default.aspx on the root.

Everyone uses the same login page, but if the user name is in the
"low-level" role, I need to automatically redirect to the special
folder, while all other users get taken to my root's default.aspx (if
no other return url string is specified).

This is a snippet of my web.config on the root directory:
<authentication mode="Forms">
<forms name=".ELITECTSUSERAUTH" loginUrl="~/login.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
path="/" />
</authentication>
<authorization>
<deny users="?" roles="5" /> <!-- Deny anonymous users and low-level
roles-->
<allow users="*" />
</authorization>

As you can see, this denies access to anonymous users and users in the
role "5", which is my "low-level" user.
So the question is this: (1) how to make the application kick the
low-level user to the special folder once he/she is authorized and a
principal has been generated for them, without ever going to the root
default.aspx.

I also thought I should include either a location section in my root
web.config that allows role 5 into the special folder, or add a new
web.config to that special folder allowing authenticated users and all
roles, overriding the root web.config.

Does anybody have any suggestions to this problem?

Thiago Silva
web developer

-------------------------------------------------------



Bigtoga said:
in my page specified in the loginUrl, I use:

if ( Request.Params["ReturnURL"] != null)
// code to write message, redirect, etc

this is the easiest solution, I suppose. It does what I need.

Thanks for the help but, if anyone has any further ideas, please post
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top