Detecting Failed Authorization

RE: Detecting Failed Authorization

The forms tag in the web.config file has a loginUrl attribute that you can
give it an login.aspx page which every user will be redirected to this page
if they are not authenticated. Once authenticated, they will be
automatically be redirected to the page that they were trying to access.

"Bijoy Naick" wrote:
[color=blue]
> I've implemented forms authentication and authorization on my application.
> In my Web.Config, my authorization section looks like this..
>
> <authorizatio n>
> <allow roles="admin" />
> <deny users="*" />
> </authorization>
>
> If an authenticated user, who is NOT designated the role "admin" attempts
> to access this folder, he/she is simply redirected to the login page.
>
> How do I detect a failed authorization and display a meaninfull error msg? I
> found an article which came up with solution :
>
> Sub Global_EndReque st(ByVal sender As Object, ByVal e As System.EventArg s)
> Handles MyBase.EndReque st
> If User.Identity.I sAuthenticated And Response.Status Code = "401" Then
> Response.Redire ct("test.aspx" )
> End If
> End Sub
>
> When I implement this, and the the situation described above occurs, the
> application seems to hang.. ie. the user isn't allowed into the application
> but it never redirects to test.aspx.
>
> Any suggestions??
>
> Bijoy
>
>
>[/color]

Re: Detecting Failed Authorization

I think u misunderstood my question. The authentication piece works fine.

Problem occurs when a user authentcates successfully but does not have
access (authorization) to a folder. In this case, they get booted back to
teh login page.. How can I detect a failed authorization? so that I can
display a meaningfull error msg.

Bijoy


"Tampa .NET Koder" <TampaNETKoder@ discussions.mic rosoft.com> wrote in
message news:D370107A-67B4-4543-9B1C-C9EF712E904D@mi crosoft.com...[color=blue]
> The forms tag in the web.config file has a loginUrl attribute that you[/color]
can[color=blue]
> give it an login.aspx page which every user will be redirected to this[/color]
page[color=blue]
> if they are not authenticated. Once authenticated, they will be
> automatically be redirected to the page that they were trying to access.
>
> "Bijoy Naick" wrote:
>[color=green]
> > I've implemented forms authentication and authorization on my[/color][/color]
application.[color=blue][color=green]
> > In my Web.Config, my authorization section looks like this..
> >
> > <authorizatio n>
> > <allow roles="admin" />
> > <deny users="*" />
> > </authorization>
> >
> > If an authenticated user, who is NOT designated the role "admin"[/color][/color]
attempts[color=blue][color=green]
> > to access this folder, he/she is simply redirected to the login page.
> >
> > How do I detect a failed authorization and display a meaninfull error[/color][/color]
msg? I[color=blue][color=green]
> > found an article which came up with solution :
> >
> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As[/color][/color]
System.EventArg s)[color=blue][color=green]
> > Handles MyBase.EndReque st
> > If User.Identity.I sAuthenticated And Response.Status Code = "401"[/color][/color]
Then[color=blue][color=green]
> > Response.Redire ct("test.aspx" )
> > End If
> > End Sub
> >
> > When I implement this, and the the situation described above occurs, the
> > application seems to hang.. ie. the user isn't allowed into the[/color][/color]
application[color=blue][color=green]
> > but it never redirects to test.aspx.
> >
> > Any suggestions??
> >
> > Bijoy
> >
> >
> >[/color][/color]

Re: Detecting Failed Authorization

Hi Bijoy,

This might work for you. It is what I use. It goes in your global.asax
file. Ken.

Sub Application_Aut henticateReques t(ByVal sender As Object, ByVal e As
EventArgs)
Dim appHTTP As HttpApplication = CType(sender, HttpApplication )

'Check if the user is authenticated.
If (appHTTP.Reques t.IsAuthenticat ed = True) Then
'Do nothing.
Else
'Redirect where you want the user to go.
'Here you can also find out what page they
'were trying to get to and customize your
'response accordingly.
End If
End Sub

Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:

If you sign up under me and need help, email me.

"Bijoy Naick" <b_naick@yahoo. ca> wrote in message
news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=blue]
> I've implemented forms authentication and authorization on my application.
> In my Web.Config, my authorization section looks like this..
>
> <authorizatio n>
> <allow roles="admin" />
> <deny users="*" />
> </authorization>
>
> If an authenticated user, who is NOT designated the role "admin" attempts
> to access this folder, he/she is simply redirected to the login page.
>
> How do I detect a failed authorization and display a meaninfull error msg?[/color]
I[color=blue]
> found an article which came up with solution :
>
> Sub Global_EndReque st(ByVal sender As Object, ByVal e As System.EventArg s)
> Handles MyBase.EndReque st
> If User.Identity.I sAuthenticated And Response.Status Code = "401" Then
> Response.Redire ct("test.aspx" )
> End If
> End Sub
>
> When I implement this, and the the situation described above occurs, the
> application seems to hang.. ie. the user isn't allowed into the[/color]
application[color=blue]
> but it never redirects to test.aspx.
>
> Any suggestions??
>
> Bijoy
>
>[/color]

Re: Detecting Failed Authorization

Ken,

Thanks for the response.. I don't understand how the code you provided will
detect a "failed AUTHORIZATION". It will probably detect a failed
"AUTHENTICATION " attempt.

Am I missing something?

Bijoy


"Ken Dopierala Jr." <kdopierala2@wi .rr.com> wrote in message
news:OkSRt$x1EH A.3468@TK2MSFTN GP14.phx.gbl...[color=blue]
> Hi Bijoy,
>
> This might work for you. It is what I use. It goes in your global.asax
> file. Ken.
>
> Sub Application_Aut henticateReques t(ByVal sender As Object, ByVal e As
> EventArgs)
> Dim appHTTP As HttpApplication = CType(sender, HttpApplication )
>
> 'Check if the user is authenticated.
> If (appHTTP.Reques t.IsAuthenticat ed = True) Then
> 'Do nothing.
> Else
> 'Redirect where you want the user to go.
> 'Here you can also find out what page they
> 'were trying to get to and customize your
> 'response accordingly.
> End If
> End Sub
>
> Good luck! Ken.
>
> --
> Ken Dopierala Jr.
> For great ASP.Net web hosting try:
> http://www.webhost4life.com/default.asp?refid=Spinlight
> If you sign up under me and need help, email me.
>
> "Bijoy Naick" <b_naick@yahoo. ca> wrote in message
> news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=green]
> > I've implemented forms authentication and authorization on my[/color][/color]
application.[color=blue][color=green]
> > In my Web.Config, my authorization section looks like this..
> >
> > <authorizatio n>
> > <allow roles="admin" />
> > <deny users="*" />
> > </authorization>
> >
> > If an authenticated user, who is NOT designated the role "admin"[/color][/color]
attempts[color=blue][color=green]
> > to access this folder, he/she is simply redirected to the login page.
> >
> > How do I detect a failed authorization and display a meaninfull error[/color][/color]
msg?[color=blue]
> I[color=green]
> > found an article which came up with solution :
> >
> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As[/color][/color]
System.EventArg s)[color=blue][color=green]
> > Handles MyBase.EndReque st
> > If User.Identity.I sAuthenticated And Response.Status Code = "401"[/color][/color]
Then[color=blue][color=green]
> > Response.Redire ct("test.aspx" )
> > End If
> > End Sub
> >
> > When I implement this, and the the situation described above occurs, the
> > application seems to hang.. ie. the user isn't allowed into the[/color]
> application[color=green]
> > but it never redirects to test.aspx.
> >
> > Any suggestions??
> >
> > Bijoy
> >
> >[/color]
>
>[/color]

Re: Detecting Failed Authorization

Hi Bijoy,

It is the If statement:

If (appHTTP.Reques t.IsAuthenticat ed = True) Then

I think this fires, after every authentication request and before the user
is redirected to any login page. But I might be wrong. Look at the Else
statement in the code below:

If (appHTTP.Reques t.IsAuthenticat ed = True) Then
'do nothing
Else 'Now you know you have a failed auth.
'*********Right here redirect your failed auth user
'whereever you want before they get redirected to
'the login page.
End If

If this doesn't work post back here and we'll figure out something else.
Good luck! Ken.

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:

If you sign up under me and need help, email me.

"Bijoy Naick" <b_naick@yahoo. ca> wrote in message
news:uvfPIDy1EH A.1524@TK2MSFTN GP09.phx.gbl...[color=blue]
> Ken,
>
> Thanks for the response.. I don't understand how the code you provided[/color]
will[color=blue]
> detect a "failed AUTHORIZATION". It will probably detect a failed
> "AUTHENTICATION " attempt.
>
> Am I missing something?
>
> Bijoy
>
>
> "Ken Dopierala Jr." <kdopierala2@wi .rr.com> wrote in message
> news:OkSRt$x1EH A.3468@TK2MSFTN GP14.phx.gbl...[color=green]
> > Hi Bijoy,
> >
> > This might work for you. It is what I use. It goes in your global.asax
> > file. Ken.
> >
> > Sub Application_Aut henticateReques t(ByVal sender As Object, ByVal e As
> > EventArgs)
> > Dim appHTTP As HttpApplication = CType(sender, HttpApplication )
> >
> > 'Check if the user is authenticated.
> > If (appHTTP.Reques t.IsAuthenticat ed = True) Then
> > 'Do nothing.
> > Else
> > 'Redirect where you want the user to go.
> > 'Here you can also find out what page they
> > 'were trying to get to and customize your
> > 'response accordingly.
> > End If
> > End Sub
> >
> > Good luck! Ken.
> >
> > --
> > Ken Dopierala Jr.
> > For great ASP.Net web hosting try:
> > http://www.webhost4life.com/default.asp?refid=Spinlight
> > If you sign up under me and need help, email me.
> >
> > "Bijoy Naick" <b_naick@yahoo. ca> wrote in message
> > news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=darkred]
> > > I've implemented forms authentication and authorization on my[/color][/color]
> application.[color=green][color=darkred]
> > > In my Web.Config, my authorization section looks like this..
> > >
> > > <authorizatio n>
> > > <allow roles="admin" />
> > > <deny users="*" />
> > > </authorization>
> > >
> > > If an authenticated user, who is NOT designated the role "admin"[/color][/color]
> attempts[color=green][color=darkred]
> > > to access this folder, he/she is simply redirected to the login page.
> > >
> > > How do I detect a failed authorization and display a meaninfull error[/color][/color]
> msg?[color=green]
> > I[color=darkred]
> > > found an article which came up with solution :
> > >
> > > Sub Global_EndReque st(ByVal sender As Object, ByVal e As[/color][/color]
> System.EventArg s)[color=green][color=darkred]
> > > Handles MyBase.EndReque st
> > > If User.Identity.I sAuthenticated And Response.Status Code = "401"[/color][/color]
> Then[color=green][color=darkred]
> > > Response.Redire ct("test.aspx" )
> > > End If
> > > End Sub
> > >
> > > When I implement this, and the the situation described above occurs,[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > application seems to hang.. ie. the user isn't allowed into the[/color]
> > application[color=darkred]
> > > but it never redirects to test.aspx.
> > >
> > > Any suggestions??
> > >
> > > Bijoy
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: Detecting Failed Authorization

Sorry folks.. The code I posted at the bottom of my original post actually
works. I made the mistake of redirecting users to another protected file..
as a result it got into an infinite loop..

Bijoy

"Bijoy Naick" <b_naick@yahoo. ca> wrote in message
news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=blue]
> I've implemented forms authentication and authorization on my application.
> In my Web.Config, my authorization section looks like this..
>
> <authorizatio n>
> <allow roles="admin" />
> <deny users="*" />
> </authorization>
>
> If an authenticated user, who is NOT designated the role "admin" attempts
> to access this folder, he/she is simply redirected to the login page.
>
> How do I detect a failed authorization and display a meaninfull error msg?[/color]
I[color=blue]
> found an article which came up with solution :
>
> Sub Global_EndReque st(ByVal sender As Object, ByVal e As System.EventArg s)
> Handles MyBase.EndReque st
> If User.Identity.I sAuthenticated And Response.Status Code = "401" Then
> Response.Redire ct("test.aspx" )
> End If
> End Sub
>
> When I implement this, and the the situation described above occurs, the
> application seems to hang.. ie. the user isn't allowed into the[/color]
application[color=blue]
> but it never redirects to test.aspx.
>
> Any suggestions??
>
> Bijoy
>
>[/color]

Re: Detecting Failed Authorization

I don't think this can be trapped within the global.asax file then, the
authentication request is handled throught it. However, if your user does get
the IE 403 error page, "Not Authorized to view this page", then you can
replace this error page with your own using the <customErrors element> like
below:

<customErrors mode="RemoteOnl y" defaultRedirect ="/genericerror.ht m">
<error statusCode="500 " redirect="/error/callsupport.htm "/>
<error statusCode="404 " redirect="/error/notfound.aspx"/>
<error statusCode="403 " redirect="/error/noaccess.aspx"/>
</customErrors>

this is all I can think of.

"Bijoy Naick" wrote:
[color=blue]
> I think u misunderstood my question. The authentication piece works fine.
>
> Problem occurs when a user authentcates successfully but does not have
> access (authorization) to a folder. In this case, they get booted back to
> teh login page.. How can I detect a failed authorization? so that I can
> display a meaningfull error msg.
>
> Bijoy
>
>
> "Tampa .NET Koder" <TampaNETKoder@ discussions.mic rosoft.com> wrote in
> message news:D370107A-67B4-4543-9B1C-C9EF712E904D@mi crosoft.com...[color=green]
> > The forms tag in the web.config file has a loginUrl attribute that you[/color]
> can[color=green]
> > give it an login.aspx page which every user will be redirected to this[/color]
> page[color=green]
> > if they are not authenticated. Once authenticated, they will be
> > automatically be redirected to the page that they were trying to access.
> >
> > "Bijoy Naick" wrote:
> >[color=darkred]
> > > I've implemented forms authentication and authorization on my[/color][/color]
> application.[color=green][color=darkred]
> > > In my Web.Config, my authorization section looks like this..
> > >
> > > <authorizatio n>
> > > <allow roles="admin" />
> > > <deny users="*" />
> > > </authorization>
> > >
> > > If an authenticated user, who is NOT designated the role "admin"[/color][/color]
> attempts[color=green][color=darkred]
> > > to access this folder, he/she is simply redirected to the login page.
> > >
> > > How do I detect a failed authorization and display a meaninfull error[/color][/color]
> msg? I[color=green][color=darkred]
> > > found an article which came up with solution :
> > >
> > > Sub Global_EndReque st(ByVal sender As Object, ByVal e As[/color][/color]
> System.EventArg s)[color=green][color=darkred]
> > > Handles MyBase.EndReque st
> > > If User.Identity.I sAuthenticated And Response.Status Code = "401"[/color][/color]
> Then[color=green][color=darkred]
> > > Response.Redire ct("test.aspx" )
> > > End If
> > > End Sub
> > >
> > > When I implement this, and the the situation described above occurs, the
> > > application seems to hang.. ie. the user isn't allowed into the[/color][/color]
> application[color=green][color=darkred]
> > > but it never redirects to test.aspx.
> > >
> > > Any suggestions??
> > >
> > > Bijoy
> > >
> > >
> > >[/color][/color]
>
>
>[/color]

Re: Detecting Failed Authorization

HI Bijoy Naick,
Where does the code:-[color=blue][color=green]
> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As System.EventArg s)
> > Handles MyBase.EndReque st
> > If User.Identity.I sAuthenticated And Response.Status Code = "401" Then
> > Response.Redire ct("test.aspx" )
> > End If
> > End Sub[/color][/color]

Go to is it TO THE GLOBAL.ASAX file?
Patrick



"Bijoy Naick" wrote:
[color=blue]
> Sorry folks.. The code I posted at the bottom of my original post actually
> works. I made the mistake of redirecting users to another protected file..
> as a result it got into an infinite loop..
>
> Bijoy
>
> "Bijoy Naick" <b_naick@yahoo. ca> wrote in message
> news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=green]
> > I've implemented forms authentication and authorization on my application.
> > In my Web.Config, my authorization section looks like this..
> >
> > <authorizatio n>
> > <allow roles="admin" />
> > <deny users="*" />
> > </authorization>
> >
> > If an authenticated user, who is NOT designated the role "admin" attempts
> > to access this folder, he/she is simply redirected to the login page.
> >
> > How do I detect a failed authorization and display a meaninfull error msg?[/color]
> I[color=green]
> > found an article which came up with solution :
> >
> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As System.EventArg s)
> > Handles MyBase.EndReque st
> > If User.Identity.I sAuthenticated And Response.Status Code = "401" Then
> > Response.Redire ct("test.aspx" )
> > End If
> > End Sub
> >
> > When I implement this, and the the situation described above occurs, the
> > application seems to hang.. ie. the user isn't allowed into the[/color]
> application[color=green]
> > but it never redirects to test.aspx.
> >
> > Any suggestions??
> >
> > Bijoy
> >
> >[/color]
>
>
>[/color]

Re: Detecting Failed Authorization

Yes, this goes in the global.asax file

"Patrick.O. Ige" <PatrickOIge@di scussions.micro soft.com> wrote in message
news:BA6DA7D9-D88B-47AA-8DD4-D943C3B9C5BF@mi crosoft.com...[color=blue]
> HI Bijoy Naick,
> Where does the code:-[color=green][color=darkred]
>> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As
>> > System.EventArg s)
>> > Handles MyBase.EndReque st
>> > If User.Identity.I sAuthenticated And Response.Status Code = "401"
>> > Then
>> > Response.Redire ct("test.aspx" )
>> > End If
>> > End Sub[/color][/color]
>
> Go to is it TO THE GLOBAL.ASAX file?
> Patrick
>
>
>
> "Bijoy Naick" wrote:
>[color=green]
>> Sorry folks.. The code I posted at the bottom of my original post
>> actually
>> works. I made the mistake of redirecting users to another protected
>> file..
>> as a result it got into an infinite loop..
>>
>> Bijoy
>>
>> "Bijoy Naick" <b_naick@yahoo. ca> wrote in message
>> news:uy7wokx1EH A.1400@TK2MSFTN GP11.phx.gbl...[color=darkred]
>> > I've implemented forms authentication and authorization on my
>> > application.
>> > In my Web.Config, my authorization section looks like this..
>> >
>> > <authorizatio n>
>> > <allow roles="admin" />
>> > <deny users="*" />
>> > </authorization>
>> >
>> > If an authenticated user, who is NOT designated the role "admin"
>> > attempts
>> > to access this folder, he/she is simply redirected to the login page.
>> >
>> > How do I detect a failed authorization and display a meaninfull error
>> > msg?[/color]
>> I[color=darkred]
>> > found an article which came up with solution :
>> >
>> > Sub Global_EndReque st(ByVal sender As Object, ByVal e As
>> > System.EventArg s)
>> > Handles MyBase.EndReque st
>> > If User.Identity.I sAuthenticated And Response.Status Code = "401"
>> > Then
>> > Response.Redire ct("test.aspx" )
>> > End If
>> > End Sub
>> >
>> > When I implement this, and the the situation described above occurs,
>> > the
>> > application seems to hang.. ie. the user isn't allowed into the[/color]
>> application[color=darkred]
>> > but it never redirects to test.aspx.
>> >
>> > Any suggestions??
>> >
>> > Bijoy
>> >
>> >[/color]
>>
>>
>>[/color][/color]