Handling UnauthorizedAccessException

**PRR** · Jan 8 '09, 06:19 AM

You can put your code in try catch block and redirect?

Code:

try
            {
                throw new UnauthorizedAccessException();

            }
            catch (UnauthorizedAccessException ex) 
            {
Response.Redirect("somewhere.htm");
}

Another option would be to ask for user name and password to access the resource:Impers onation

http://support.microsoft.com/kb/306158

**imukai** · Jan 8 '09, 11:59 AM

Thank you for the reply but I'm afraid that doesn't help.

As I said in my initial post:

1. Using Integrated Windows Authentication on one particular .aspx
2. On the file system, have DENY access to certain people.
3. If one of those people type in the URL to that .aspx, an exception is generated that I cannot find where to trap.

People not on the DENY list can access the .aspx just fine. It's just those people that are on that list generate the UnauthorizedAcc essException.

I can't put a try/catch until I know where to put it. I tried overriding the page's ProcessRequest to see if it's even getting that far - it isn't.

This tells me that maybe I need some sort of handler or something to capture the attempted access to the file, but I don't know what to use.

Recreating this should be easy.

1. In any of your Forms Authentication websites, in IIS, right click an .aspx that you want to use, go to Properties, File Security, Authentication and access control.
2. Turn off Enable Anonymous and turn on Integrated Windows Authentication. Hit OK.
3. Open Windows Explorer and browse to where that .aspx is located, right click Properties, Security.
4. Add your username and click Deny for Read and Read & Execute, hit OK.

Now try to access that .aspx. Unless your browser is set to automatically log you in, you'll get the Username/Password popup box. Sign in with your information. You should get the exception I was referring to.

Ideally if you are going to recreate this, you'll have two Windows accounts that you can use - one that you can set DENY access on, and one that is not denied so you can verify that Integrated Windows Authentication is working.

**Frinavale** · Jan 8 '09, 03:14 PM

There's 2 things that I can suggest.

The first is to modify your web.config file and set your CustomErrors tag to redirect any user to a "safe" page when an error occurs.

For example:
Expand|Select|W rap|Line Numbers

<customErrors mode="On" defaultRedirect ="http://bytes.com"></customErrors>

Check out custom errors to see what else they can do for you.

The second thing I would suggest is implementing a method that handles the Application_Err or event in the Global.asax file. This method is executed every time an unhandled error occurs in the application.

To determine what type of exception/error happened, you can retrieve the last exception that occurred on the server by using Server.GetLastE rror.GetBaseExc eption. From there you can check if it's an UnauthorizedAcc essException and redirect the user accordingly.

Eg:

Code:

 
Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs) 
   Dim ex As Exception 
   ex = Server.GetLastError.GetBaseException 
   If ex IsNot Nothing Then 
      'Check the type of exception and take action accordingly. 
      'I would also record any violations at this point 
   End If 
    Server.ClearError() 
End Sub

The Server.ClearErr or() clears the error and prevents it from being bubbled up any further.

Hope this helps.

-Frinny

**imukai** · Jan 8 '09, 04:13 PM

It might not be the "correct" way to handle it, but the global.asax suggestion was a good one, and works. Thank you. =)

I'm still curious where in the lifecycle this goes before the error is generated.

Is there a way to determine exactly what called the Application_Err or?

Since the stack trace has System.IO in it right before it bombs out, I'm guessing it came from the filesystem, but .NET had to process it somewhere... and ultimately it's that somewhere that I'd like to trap this error.

For now, global.asax works. Thanks again.

**Frinavale** · Jan 8 '09, 04:28 PM

Originally posted by imukai

It might not be the "correct" way to handle it, but the global.asax suggestion was a good one, and works. Thank you. =)

I'm still curious where in the lifecycle this goes before the error is generated.

Is there a way to determine exactly what called the Application_Err or?

Since the stack trace has System.IO in it right before it bombs out, I'm guessing it came from the filesystem, but .NET had to process it somewhere... and ultimately it's that somewhere that I'd like to trap this error.

For now, global.asax works. Thanks again.

It probably occurs when the request for the resource is made, before any of your ASPX page code is accessed. Since ASP.NET generates the error at this stage it's impossible to catch the error anywhere else except the Global.asax

**PRR** · Jan 9 '09, 07:15 AM

In addition to what Frinny said ... try page_error...

Code:

 public void Page_Error(object sender, EventArgs e)
 {
Exception objError = Server.GetLastError().GetBaseException();
        Type t=objError.GetType();
        Type t1 = typeof(System.UnauthorizedAccessException);
        if (t == t1)
        {
            Response.Redirect("~/YourAccessVoilationPage.aspx");
        }
        else 
        {
            //some other Exception 
        }
}

**imukai** · Jan 9 '09, 11:59 AM

I presume you mean Page_Error within that specific .aspx

On that suggestion, I gave it a try - unfortunately it does not appear to call it.

From what I understand of the lifecycle of a page, the first thing that gets called is ProcessRequest (part of the base Page class) - but even that isn't being called, so I believe .NET is being stopped by the filesystem before it has a chance to touch the offending page.

Unless this can be trapped by some sort of ISAPI or something, I think Frinavale's solution is probably the only feasible one for this situation.

**Frinavale** · Jan 9 '09, 02:18 PM

The page_error captures any errors that happens within that .aspx page but this exception's thrown before the page code is executed.

There are a number of things that happen before your code is actually run which can generate errors (before any page class code is called). The Global.asax handles anything that happens with regard to the application and so it's able to catch the exception thrown.

Handling UnauthorizedAccessException

Handling UnauthorizedAccessException

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment