Detecting Failed Authorization

[Bijoy Naick]

I've implemented forms authentication and authorization on my application.
In my Web.Config, my authorization section looks like this..

<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>

If an authenticated user, who is NOT designated the role "admin" attempts
to access this folder, he/she is simply redirected to the login page.

How do I detect a failed authorization and display a meaninfull error msg? I
found an article which came up with solution :

Sub Global_EndRequest(ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.EndRequest
If User.Identity.IsAuthenticated And Response.StatusCode = "401" Then
Response.Redirect("test.aspx")
End If
End Sub

When I implement this, and the the situation described above occurs, the
application seems to hang.. ie. the user isn't allowed into the application
but it never redirects to test.aspx.

Any suggestions??

Bijoy

 

[Guest]

The forms tag in the web.config file has a loginUrl attribute that you can
give it an login.aspx page which every user will be redirected to this page
if they are not authenticated. Once authenticated, they will be
automatically be redirected to the page that they were trying to access.

 

[Bijoy Naick]

I think u misunderstood my question. The authentication piece works fine.

Problem occurs when a user authentcates successfully but does not have
access (authorization) to a folder. In this case, they get booted back to
teh login page.. How can I detect a failed authorization? so that I can
display a meaningfull error msg.

Bijoy

 

[Ken Dopierala Jr.]

Hi Bijoy,

This might work for you. It is what I use. It goes in your global.asax
file. Ken.

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
Dim appHTTP As HttpApplication = CType(sender, HttpApplication)

'Check if the user is authenticated.
If (appHTTP.Request.IsAuthenticated = True) Then
'Do nothing.
Else
'Redirect where you want the user to go.
'Here you can also find out what page they
'were trying to get to and customize your
'response accordingly.
End If
End Sub

Good luck! Ken.

 

[Bijoy Naick]

Ken,

Thanks for the response.. I don't understand how the code you provided will
detect a "failed AUTHORIZATION". It will probably detect a failed
"AUTHENTICATION" attempt.

Am I missing something?

Bijoy

 

[Ken Dopierala Jr.]

Hi Bijoy,

It is the If statement:

If (appHTTP.Request.IsAuthenticated = True) Then

I think this fires, after every authentication request and before the user
is redirected to any login page. But I might be wrong. Look at the Else
statement in the code below:

If (appHTTP.Request.IsAuthenticated = True) Then
'do nothing
Else 'Now you know you have a failed auth.
'*********Right here redirect your failed auth user
'whereever you want before they get redirected to
'the login page.
End If

If this doesn't work post back here and we'll figure out something else.
Good luck! Ken.

 

[Bijoy Naick]

Sorry folks.. The code I posted at the bottom of my original post actually
works. I made the mistake of redirecting users to another protected file..
as a result it got into an infinite loop..

Bijoy

 

[Guest]

I don't think this can be trapped within the global.asax file then, the
authentication request is handled throught it. However, if your user does get
the IE 403 error page, "Not Authorized to view this page", then you can
replace this error page with your own using the <customErrors element> like
below:

<customErrors mode="RemoteOnly" defaultRedirect="/genericerror.htm">
<error statusCode="500" redirect="/error/callsupport.htm"/>
<error statusCode="404" redirect="/error/notfound.aspx"/>
<error statusCode="403" redirect="/error/noaccess.aspx"/>
</customErrors>

this is all I can think of.

 

[Guest]

HI Bijoy Naick,
Where does the code:-
Go to is it TO THE GLOBAL.ASAX file?
Patrick

 

[Bijoy Naick]

Yes, this goes in the global.asax file

HI Bijoy Naick,
Where does the code:-

Go to is it TO THE GLOBAL.ASAX file?
Patrick