By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,667 Members | 2,255 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,667 IT Pros & Developers. It's quick & easy.

Detecting Failed Authorization

P: n/a
I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application
but it never redirects to test.aspx.

Any suggestions??

Bijoy
Nov 18 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
The forms tag in the web.config file has a loginUrl attribute that you can
give it an login.aspx page which every user will be redirected to this page
if they are not authenticated. Once authenticated, they will be
automatically be redirected to the page that they were trying to access.

"Bijoy Naick" wrote:
I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application
but it never redirects to test.aspx.

Any suggestions??

Bijoy

Nov 18 '05 #2

P: n/a
I think u misunderstood my question. The authentication piece works fine.

Problem occurs when a user authentcates successfully but does not have
access (authorization) to a folder. In this case, they get booted back to
teh login page.. How can I detect a failed authorization? so that I can
display a meaningfull error msg.

Bijoy
"Tampa .NET Koder" <Ta***********@discussions.microsoft.com> wrote in
message news:D3**********************************@microsof t.com...
The forms tag in the web.config file has a loginUrl attribute that you can give it an login.aspx page which every user will be redirected to this page if they are not authenticated. Once authenticated, they will be
automatically be redirected to the page that they were trying to access.

"Bijoy Naick" wrote:
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application but it never redirects to test.aspx.

Any suggestions??

Bijoy

Nov 18 '05 #3

P: n/a
Hi Bijoy,

This might work for you. It is what I use. It goes in your global.asax
file. Ken.

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
Dim appHTTP As HttpApplication = CType(sender, HttpApplication)

'Check if the user is authenticated.
If (appHTTP.Request.IsAuthenticated = True) Then
'Do nothing.
Else
'Redirect where you want the user to go.
'Here you can also find out what page they
'were trying to get to and customize your
'response accordingly.
End If
End Sub

Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application but it never redirects to test.aspx.

Any suggestions??

Bijoy

Nov 18 '05 #4

P: n/a
Ken,

Thanks for the response.. I don't understand how the code you provided will
detect a "failed AUTHORIZATION". It will probably detect a failed
"AUTHENTICATION" attempt.

Am I missing something?

Bijoy
"Ken Dopierala Jr." <kd*********@wi.rr.com> wrote in message
news:Ok**************@TK2MSFTNGP14.phx.gbl...
Hi Bijoy,

This might work for you. It is what I use. It goes in your global.asax
file. Ken.

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
Dim appHTTP As HttpApplication = CType(sender, HttpApplication)

'Check if the user is authenticated.
If (appHTTP.Request.IsAuthenticated = True) Then
'Do nothing.
Else
'Redirect where you want the user to go.
'Here you can also find out what page they
'were trying to get to and customize your
'response accordingly.
End If
End Sub

Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg?
I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As

System.EventArgs) Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the

application
but it never redirects to test.aspx.

Any suggestions??

Bijoy


Nov 18 '05 #5

P: n/a
Hi Bijoy,

It is the If statement:

If (appHTTP.Request.IsAuthenticated = True) Then

I think this fires, after every authentication request and before the user
is redirected to any login page. But I might be wrong. Look at the Else
statement in the code below:

If (appHTTP.Request.IsAuthenticated = True) Then
'do nothing
Else 'Now you know you have a failed auth.
'*********Right here redirect your failed auth user
'whereever you want before they get redirected to
'the login page.
End If

If this doesn't work post back here and we'll figure out something else.
Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uv**************@TK2MSFTNGP09.phx.gbl...
Ken,

Thanks for the response.. I don't understand how the code you provided will detect a "failed AUTHORIZATION". It will probably detect a failed
"AUTHENTICATION" attempt.

Am I missing something?

Bijoy
"Ken Dopierala Jr." <kd*********@wi.rr.com> wrote in message
news:Ok**************@TK2MSFTNGP14.phx.gbl...
Hi Bijoy,

This might work for you. It is what I use. It goes in your global.asax
file. Ken.

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
Dim appHTTP As HttpApplication = CType(sender, HttpApplication)

'Check if the user is authenticated.
If (appHTTP.Request.IsAuthenticated = True) Then
'Do nothing.
Else
'Redirect where you want the user to go.
'Here you can also find out what page they
'were trying to get to and customize your
'response accordingly.
End If
End Sub

Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg?
I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As

System.EventArgs) Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the application seems to hang.. ie. the user isn't allowed into the

application
but it never redirects to test.aspx.

Any suggestions??

Bijoy



Nov 18 '05 #6

P: n/a
Sorry folks.. The code I posted at the bottom of my original post actually
works. I made the mistake of redirecting users to another protected file..
as a result it got into an infinite loop..

Bijoy

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application but it never redirects to test.aspx.

Any suggestions??

Bijoy

Nov 18 '05 #7

P: n/a
I don't think this can be trapped within the global.asax file then, the
authentication request is handled throught it. However, if your user does get
the IE 403 error page, "Not Authorized to view this page", then you can
replace this error page with your own using the <customErrors element> like
below:

<customErrors mode="RemoteOnly" defaultRedirect="/genericerror.htm">
<error statusCode="500" redirect="/error/callsupport.htm"/>
<error statusCode="404" redirect="/error/notfound.aspx"/>
<error statusCode="403" redirect="/error/noaccess.aspx"/>
</customErrors>

this is all I can think of.

"Bijoy Naick" wrote:
I think u misunderstood my question. The authentication piece works fine.

Problem occurs when a user authentcates successfully but does not have
access (authorization) to a folder. In this case, they get booted back to
teh login page.. How can I detect a failed authorization? so that I can
display a meaningfull error msg.

Bijoy
"Tampa .NET Koder" <Ta***********@discussions.microsoft.com> wrote in
message news:D3**********************************@microsof t.com...
The forms tag in the web.config file has a loginUrl attribute that you

can
give it an login.aspx page which every user will be redirected to this

page
if they are not authenticated. Once authenticated, they will be
automatically be redirected to the page that they were trying to access.

"Bijoy Naick" wrote:
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application but it never redirects to test.aspx.

Any suggestions??

Bijoy


Nov 18 '05 #8

P: n/a
HI Bijoy Naick,
Where does the code:-
Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

Go to is it TO THE GLOBAL.ASAX file?
Patrick

"Bijoy Naick" wrote:
Sorry folks.. The code I posted at the bottom of my original post actually
works. I made the mistake of redirecting users to another protected file..
as a result it got into an infinite loop..

Bijoy

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg?

I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the

application
but it never redirects to test.aspx.

Any suggestions??

Bijoy


Nov 18 '05 #9

P: n/a
Yes, this goes in the global.asax file

"Patrick.O.Ige" <Pa*********@discussions.microsoft.com> wrote in message
news:BA**********************************@microsof t.com...
HI Bijoy Naick,
Where does the code:-
> Sub Global_EndRequest(ByVal sender As Object, ByVal e As
> System.EventArgs)
> Handles MyBase.EndRequest
> If User.Identity.IsAuthenticated And Response.StatusCode = "401"
> Then
> Response.Redirect("test.aspx")
> End If
> End Sub


Go to is it TO THE GLOBAL.ASAX file?
Patrick

"Bijoy Naick" wrote:
Sorry folks.. The code I posted at the bottom of my original post
actually
works. I made the mistake of redirecting users to another protected
file..
as a result it got into an infinite loop..

Bijoy

"Bijoy Naick" <b_*****@yahoo.ca> wrote in message
news:uy**************@TK2MSFTNGP11.phx.gbl...
> I've implemented forms authentication and authorization on my
> application.
> In my Web.Config, my authorization section looks like this..
>
> <authorization>
> <allow roles="admin" />
> <deny users="*" />
> </authorization>
>
> If an authenticated user, who is NOT designated the role "admin"
> attempts
> to access this folder, he/she is simply redirected to the login page.
>
> How do I detect a failed authorization and display a meaninfull error
> msg?

I
> found an article which came up with solution :
>
> Sub Global_EndRequest(ByVal sender As Object, ByVal e As
> System.EventArgs)
> Handles MyBase.EndRequest
> If User.Identity.IsAuthenticated And Response.StatusCode = "401"
> Then
> Response.Redirect("test.aspx")
> End If
> End Sub
>
> When I implement this, and the the situation described above occurs,
> the
> application seems to hang.. ie. the user isn't allowed into the

application
> but it never redirects to test.aspx.
>
> Any suggestions??
>
> Bijoy
>
>


Nov 18 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.