On Dec 20, 3:51 am, Mike Placentra II
<nothingsoriginalontheinter...@gmail.comwrote:
Hi. When using Server.Transfer() to switch the request to a specific
web form (as opposed to a class implementing IHttpHandler, if it makes
any difference), do I have to do something special to have
Request.IsAuthorized set properly?
When searching for a solution I read that Server.Transfer() does not
invoke the AuthorizeRequest event or something. Is there maybe a way
to make that happen since the request is being transferred to a web
form?
My reasons for not using Response.Redirect() are not just cosmetic,
but otherwise I would have switched to that already.
Thanks,
-Mike Placentra II
Quote:
http://msdn2.microsoft.com/en-us/lib...xx(vs.80).aspx
ASP.NET does not verify that the current user is authorized to view
the resource that is delivered by the Transfer method. Although the
ASP.NET authorization and authentication logic runs before the
original resource handler is called, ASP.NET directly calls the
handler indicated by the Transfer method and does not rerun
authentication and authorization logic for the new resource. If the
security policy for your application requires clients to have proper
authorization to access the resource, the application should force
reauthorization or provide a custom access-control mechanism.
You can force reauthorization by using the Redirect method instead of
the Transfer method. The Redirect method performs a client-side
redirect in which the browser requests the new resource. Because this
redirect is a new request entering the system, it is subjected to all
the authentication and authorization logic of both the IIS and ASP.NET
security policy.
You can verify that the user has permission to view the resource by
incorporating a custom authorization method that uses the IsInRole
method before the application calls the Transfer method.