Role base security and RedirectUrl

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • RedHair
    #1

    Role base security and RedirectUrl

    I use the Form Authentication and Role base security to secure one ASP.NET
    3.5 appication.
    Below are security settings in web.config

    <location path="testAdmin .aspx">
    <system.web>
    <authorizatio n>
    <allow roles="Admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    If a anonymous user tries to access testAdmin.aspx then he/she will be
    redirected to login page
    based on the loginUrl setting of <authentication element
    but if a logoned user whose role is not "Admin" tries access the
    testAdmin.aspx page, the system
    still redirect him/her to login page, in this case, is it possible to
    redirect user to another page other
    than login page? via configuration.
    Or I need to add Context.User,Is InRoles("Admin" ) to each page?

    Thanks.



    Tags: None
    • rote
      #2
      Re: Role base security and RedirectUrl

      RedHair
      I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
      If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

      You stated:
      .. a logoned user whose role is not "Admin" tries access the
      testAdmin.aspx page, the system
      still redirect him/her to login page

      But thats what its suppose to do.

      If you want more control you can switch to Windows Auth and do the authorization in your code.
      Then in code use User,IsInRoles( "Admin")
      Look at this samples by Scott:
      The resource cannot be found.
      http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

      Hope that helps
      Patrick


      "RedHair" <redhair@u.s.aw rote in message news:OPIDQl$JJH A.5704@TK2MSFTN GP02.phx.gbl...
      >I use the Form Authentication and Role base security to secure one ASP.NET
      3.5 appication.
      Below are security settings in web.config

      <location path="testAdmin .aspx">
      <system.web>
      <authorizatio n>
      <allow roles="Admin"/>
      <deny users="*"/>
      </authorization>
      </system.web>
      </location>

      If a anonymous user tries to access testAdmin.aspx then he/she will be
      redirected to login page
      based on the loginUrl setting of <authentication element
      but if a logoned user whose role is not "Admin" tries access the
      testAdmin.aspx page, the system
      still redirect him/her to login page, in this case, is it possible to
      redirect user to another page other
      than login page? via configuration.
      Or I need to add Context.User,Is InRoles("Admin" ) to each page?

      Thanks.


      >

        Comment

        • RedHair
          #3
          Re: Role base security and RedirectUrl

          Thanks.
          I hope there is a way to tell user in login page that why he/she be
          redirected to login page, because his role or he is anonymous.

          if it's due to role security setting, the user will be redirected to login
          page again and again without any information because he has a
          valid account


          "rote" <naijacoder@hot mail.comwrote in message
          news:OAi%23s1AK JHA.2164@TK2MSF TNGP02.phx.gbl. ..
          RedHair
          I think the setting you provided is doing the right thing as only people
          with the Admin roles can get to the page.
          If you are using Forms auth then u can changed the property loginurl to
          suit your need (to a different page)

          You stated:
          .. a logoned user whose role is not "Admin" tries access the
          testAdmin.aspx page, the system
          still redirect him/her to login page

          But thats what its suppose to do.

          If you want more control you can switch to Windows Auth and do the
          authorization in your code.
          Then in code use User,IsInRoles( "Admin")
          Look at this samples by Scott:
          The resource cannot be found.
          http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

          Hope that helps
          Patrick


          "RedHair" <redhair@u.s.aw rote in message
          news:OPIDQl$JJH A.5704@TK2MSFTN GP02.phx.gbl...
          >I use the Form Authentication and Role base security to secure one ASP.NET
          3.5 appication.
          Below are security settings in web.config
          >
          <location path="testAdmin .aspx">
          <system.web>
          <authorizatio n>
          <allow roles="Admin"/>
          <deny users="*"/>
          </authorization>
          </system.web>
          </location>
          >
          If a anonymous user tries to access testAdmin.aspx then he/she will be
          redirected to login page
          based on the loginUrl setting of <authentication element
          but if a logoned user whose role is not "Admin" tries access the
          testAdmin.aspx page, the system
          still redirect him/her to login page, in this case, is it possible to
          redirect user to another page other
          than login page? via configuration.
          Or I need to add Context.User,Is InRoles("Admin" ) to each page?
          >
          Thanks.
          >
          >
          >

            Comment

            • Joe Kaplan
              #4
              Re: Role base security and RedirectUrl

              As I recall, there is a way to detect that the forms auth has redirected you
              to the logon page in the EndRequest event (in global.asax) and to change
              that show a different page instead of doing a redirect. You would need to
              execute the logic to test to see if the user is authenticated first as you
              need to ensure that the user is being redirected as authenticated but not
              authorized as opposed to just "authenticated" .

              I think if you do some searches you'll find some samples of how to achieve
              this. It is a bit of a pain that the built in system isn't a little more
              flexible with this.

              Joe K.
              --
              Joe Kaplan-MS MVP Directory Services Programming
              Co-author of "The .NET Developer's Guide to Directory Services Programming"
              Directory Programming .NET
              http://www.directoryprogramming.net

              --
              "RedHair" <redhair@u.s.aw rote in message
              news:ObbYpABKJH A.728@TK2MSFTNG P04.phx.gbl...
              Thanks.
              I hope there is a way to tell user in login page that why he/she be
              redirected to login page, because his role or he is anonymous.
              >
              if it's due to role security setting, the user will be redirected to login
              page again and again without any information because he has a
              valid account
              >
              >
              "rote" <naijacoder@hot mail.comwrote in message
              news:OAi%23s1AK JHA.2164@TK2MSF TNGP02.phx.gbl. ..
              RedHair
              I think the setting you provided is doing the right thing as only people
              with the Admin roles can get to the page.
              If you are using Forms auth then u can changed the property loginurl to
              suit your need (to a different page)
              >
              You stated:
              . a logoned user whose role is not "Admin" tries access the
              testAdmin.aspx page, the system
              still redirect him/her to login page
              >
              But thats what its suppose to do.
              >
              If you want more control you can switch to Windows Auth and do the
              authorization in your code.
              Then in code use User,IsInRoles( "Admin")
              Look at this samples by Scott:
              The resource cannot be found.
              http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

              Hope that helps
              Patrick
              >
              >
              "RedHair" <redhair@u.s.aw rote in message
              news:OPIDQl$JJH A.5704@TK2MSFTN GP02.phx.gbl...
              >>I use the Form Authentication and Role base security to secure one ASP.NET
              >3.5 appication.
              >Below are security settings in web.config
              >>
              ><location path="testAdmin .aspx">
              > <system.web>
              > <authorizatio n>
              > <allow roles="Admin"/>
              > <deny users="*"/>
              > </authorization>
              > </system.web>
              ></location>
              >>
              >If a anonymous user tries to access testAdmin.aspx then he/she will be
              >redirected to login page
              >based on the loginUrl setting of <authentication element
              >but if a logoned user whose role is not "Admin" tries access the
              >testAdmin.as px page, the system
              >still redirect him/her to login page, in this case, is it possible to
              >redirect user to another page other
              >than login page? via configuration.
              >Or I need to add Context.User,Is InRoles("Admin" ) to each page?
              >>
              >Thanks.
              >>
              >>
              >>
              >
              >

                Comment

                Previous template Next
                Working...