authorization / authentication policy help

[yofnik]

Hello,

Using policy (modifying web.config) and FormsAuthentication, is it
possible to return an error message (or redirect to error page) instead
of redirecting to the login page for specific users only?

Here's an example:
I have a section of my web app that is for admins only. The
authorization section of my web.config looks like.

<authentication mode="Forms">
<forms loginUrl="login.aspx">
<credentials passwordFormat="Clear">
<user name="admin" password="password"/>
<user name="guest" password="password" />
</credentials>
</forms>
</authentication>

<authorization>
<deny users="?"/>
</authorization>

Now, for the admin section of the web app, I have a seperate location
element:

<location path="admin">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

This ALMOST solves what I want. The only thing I don't like is that if
the user "guest" tries to access the admin section, they get redirected
to the login.aspx page again. Instead, I would like to redirect them to
an error page or just show an error message.

Is this possible at all using policy only (ie - via web.config)?

Thanks.

 

[yofnik]

That is what I was afraid of. I am trying to avoid any code changes.

This ALMOST solves what I want. The only thing I don't like is that if
the user "guest" tries to access the admin section, they get redirected
to the login.aspx page again. Instead, I would like to redirect them to
an error page or just show an error message.

There's no way out to do it declaratively.

In Login.aspx:
if(Request.QueryString["ReturnUrl"] != null
&& Request.QueryString["ReturnUrl"].IndexOf("admin") >= 0
&& (!Request.IsAuthenticated || !Context.User.IsInRole("admin"))
{
// User was sent here by a page in admin section
// But he is 'guest' (not authenticated) or a non-admin guy
Response.Redirect("ErrorPage.aspx");
}


--
Happy Hacking,
Gaurav Vaish | www.mastergaurav.com
www.edujinionline.com
http://articles.edujinionline.com/webservices
-----------------------------------------

 

[ReyN]

you can set up your error pages using the customErrors element for
system.web in the web config file

for example, you can have a page for default redirect, or a page for
each error code you want to catch

<customErrors defaultRedirect="~/shared/genericerror.aspx"
mode="Off">
<error statusCode="404" redirect="~/shared/notfound.aspx" />
</customErrors>

you can also set up customErrors only in the web.config of a particular
folder

 

[ReyN]

you can set up your error pages using the customErrors element for
system.web in the web config file

for example, you can have a page for default redirect, or a page for
each error code you want to catch

<customErrors defaultRedirect="~/shared/genericerror.aspx"
mode="Off">
<error statusCode="404" redirect="~/shared/notfound.aspx" />
</customErrors>

you can also set up customErrors only in the web.config of a particular
folder