By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
426,011 Members | 1,000 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 426,011 IT Pros & Developers. It's quick & easy.

Role base security and RedirectUrl

P: n/a
I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authenticationelement
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.

Oct 6 '08 #1
Share this Question
Share on Google+
3 Replies


P: n/a
RedHair
I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
Hope that helps
Patrick


"RedHair" <re*****@u.s.awrote in message news:OP**************@TK2MSFTNGP02.phx.gbl...
>I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authenticationelement
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.


Oct 6 '08 #2

P: n/a
Thanks.
I hope there is a way to tell user in login page that why he/she be
redirected to login page, because his role or he is anonymous.

if it's due to role security setting, the user will be redirected to login
page again and again without any information because he has a
valid account
"rote" <na********@hotmail.comwrote in message
news:OA****************@TK2MSFTNGP02.phx.gbl...
RedHair
I think the setting you provided is doing the right thing as only people
with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to
suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the
authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
Hope that helps
Patrick
"RedHair" <re*****@u.s.awrote in message
news:OP**************@TK2MSFTNGP02.phx.gbl...
>I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authenticationelement
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.

Oct 7 '08 #3

P: n/a
As I recall, there is a way to detect that the forms auth has redirected you
to the logon page in the EndRequest event (in global.asax) and to change
that show a different page instead of doing a redirect. You would need to
execute the logic to test to see if the user is authenticated first as you
need to ensure that the user is being redirected as authenticated but not
authorized as opposed to just "authenticated".

I think if you do some searches you'll find some samples of how to achieve
this. It is a bit of a pain that the built in system isn't a little more
flexible with this.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"RedHair" <re*****@u.s.awrote in message
news:Ob*************@TK2MSFTNGP04.phx.gbl...
Thanks.
I hope there is a way to tell user in login page that why he/she be
redirected to login page, because his role or he is anonymous.

if it's due to role security setting, the user will be redirected to login
page again and again without any information because he has a
valid account
"rote" <na********@hotmail.comwrote in message
news:OA****************@TK2MSFTNGP02.phx.gbl...
RedHair
I think the setting you provided is doing the right thing as only people
with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to
suit your need (to a different page)

You stated:
. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the
authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
Hope that helps
Patrick
"RedHair" <re*****@u.s.awrote in message
news:OP**************@TK2MSFTNGP02.phx.gbl...
>>I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authenticationelement
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.


Oct 7 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.