Security

Re: Redirect an authenitcated user from a page to which they are denied access in the Web.config

ngruson — Wed, 12 Sep 2007 14:05:15 GMT

Hi Bob,

Read this posting on how to redirect your unauthorized user to the an 'access denied' page. I had the same problem and I solved it reading this.

Good luck!

Re: Redirect an authenitcated user from a page to which they are denied access in the Web.config

rvarcher — Wed, 12 Sep 2007 13:45:15 GMT

First, I thought that when the denied page was encountered by the logged-in user that .Net would redirect the user to the application's forms authentication login page. But I guess that doesn't happen because the user is already authenticated.

I also thought that maybe when the user tried to access a denied resource that the server would return a 403, so I tried to catch it in customErrors in Web.config. but that didn't work either.

I've been thinking about it and I don't know how much of a real world issue it will be. I was just looking for a more graceful way to handle it. I guess you could distill my question down to this - What to do when an authenticated user tries to access a page that they are denied access to?

Thanks,

- bob

Re: Redirect an authenitcated user from a page to which they are denied access in the Web.config

XiaoYong Dai – MSFT — Wed, 12 Sep 2007 08:14:15 GMT

rvarcher:

- An ~authenticated~ user NOT in the Allowed_User_Role tries to go to ~/MYDIR/mypage.aspx. I want to redirect this user somewhere and say, "Don't do that." This ~doesn't~ work.

For investigation, could you provide more information about how you handle this redirection and display the message to user? Maybe we can find some clue.

Redirect an authenitcated user from a page to which they are denied access in the Web.config

rvarcher — Mon, 10 Sep 2007 20:58:15 GMT

In my web.config

  <LOCATION path="MYDIR">
    <SYSTEM.WEB>
      <AUTHORIZATION>
        <DENY users="*">
        <ALLOW roles="Allowed_User_Role">
      </AUTHORIZATION>
    </SYSTEM.WEB>
  </LOCATION>

In my web.sitemap

      <SITEMAPNODE title="My Page" description="My Page" url="~/MYDIR/mypage.aspx" roles="Allowed_User_Role" />

What I want to happen:

- I don't want the SiteMapNode in my TreeView to show to users not in the Allowed_User_Role. This works.

- If an ~unauthenticated~ user goes to ~/MYDIR/mypage.aspx it redirects to the login page. This works.

- An ~authenticated~ user in the Allowed_User_Role sees the SiteMapNode option in my TreeView and can successfully access ~/MYDIR/mypage.aspx. This also works.

- An ~authenticated~ user NOT in the Allowed_User_Role does not see the SiteMapNode option in my TreeView. This works too.

- An ~authenticated~ user NOT in the Allowed_User_Role tries to go to ~/MYDIR/mypage.aspx. I want to redirect this user somewhere and say, "Don't do that." This ~doesn't~ work. I just get a "The page cannot be displayed" in IE and a "The page isn't redirecting properly. Navigator has detected that the server is redirecting the request for this address in a way that will never complete." in Netscape.

Any ideas?

Thanks,

- Bob Archer