N
nicemonitor
I have created a web application that is utilizing Forms Authentication
and URL Authorzation for application security.
The problem arises when an authenticated user (the authentication
ticket cookie has been set) attempts to access a sub directory or file
where I have explicitely denied them access. For example the code in
the root web.config is as follows:
<authentication mode="Forms">
<forms loginUrl="authAgent.aspx"
name="csgOperationsAuthTicket"
protection="All"
timeout="60"
path="/"
/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
A web.config created in a protected directory called "protected" has
the following authorization tags:
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
Now if i attempt to visit a page within the "protected" sub directory
the forms authentication ticket is created for the user however if i
attempt to access the directory as any other user but "admin" I do not
get an access denied page or message. Instead it stays at the loginUrl
page (seems to reload over and over). If I do access the directory as
"admin" everything works fine.
Is there a way to display an access denied page to the user?
Note that when I use Windows authentication a nice access denied page
is displayed. If you try to use forms authentication the user is left
hanging. This cannot be by Microsoft's design can it? Is it a bug?
Any insight is *GREATLY* appreciated.
Thanks
and URL Authorzation for application security.
The problem arises when an authenticated user (the authentication
ticket cookie has been set) attempts to access a sub directory or file
where I have explicitely denied them access. For example the code in
the root web.config is as follows:
<authentication mode="Forms">
<forms loginUrl="authAgent.aspx"
name="csgOperationsAuthTicket"
protection="All"
timeout="60"
path="/"
/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
A web.config created in a protected directory called "protected" has
the following authorization tags:
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
Now if i attempt to visit a page within the "protected" sub directory
the forms authentication ticket is created for the user however if i
attempt to access the directory as any other user but "admin" I do not
get an access denied page or message. Instead it stays at the loginUrl
page (seems to reload over and over). If I do access the directory as
"admin" everything works fine.
Is there a way to display an access denied page to the user?
Note that when I use Windows authentication a nice access denied page
is displayed. If you try to use forms authentication the user is left
hanging. This cannot be by Microsoft's design can it? Is it a bug?
Any insight is *GREATLY* appreciated.
Thanks