RoleProvider Capturing Authentication Events

[Guest]

I have a Role Provider with a subdirectory protected via the web.config.
Forms authentication is used.
If a person who is not in the role tries to access a page in the directory,
the browser is redirected to the forms authentication logon page.

Is there a way to prevent this behavior?
I would prefer to just show the user an access denied page and maybe some
help text.

Maybe some events fire in the provider model or the global.asax?

 

[Steven Cheng[MSFT]]

Hello Chuck,

From your description, in your ASP.NET forms authentication secured web
application, you want to make those users (that will be redirected to the
login page) see different pages depend on whether they're unauthenticated
or doesn't have sufficient permission(role), correct?

If this is the case, I think the simplest and most convenient means is to
customize your login page and check the HttpContext.Current.User.Identity
to see whether it is authenticated. Because if a user is redirect to login
page due to unauthenticated, the Identity should be unauthenticated too,
while if the user is redirected due to unsufficient permission, it should
already has an authenticated identtiy. e.g.

=====in login page code==============
protected void Page_Load(object sender, EventArgs e)
{

if (Context.User.Identity.IsAuthenticated == true)
{
Server.Transfer("~/AccessDeniedPage.aspx");
//or use response.redirect(....)
}
}

==============

Also, you need to make sure you add authorization setting to allow all
authenticated users to access the "AccessDeniedPage" in web.conifg
====in web.config======
.............
<location path="AccessDeniedPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
...................
============================

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Hi Chuck,

Have you got the issue resolved or does the suggestion in my last reply
helps some? If there is any further question, please feel free to let me
know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

I'll try that.
I guess the only time I would get sent to the page
while I was authenticated is for a 401.

 

[Steven Cheng[MSFT]]

Thanks for your reply Chuck,

For ASP.NET Forms Authentication, it will send redirect response to client
whenever the user fail to pass auhorization and need to be redirected to
login page. This differs from windows authentication which will result to
401 error. Therefore, the login page is the place you can get the
unauthorized or unauthenticated requests. Anyway, if you have any further
questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Hi Chuck,

Have you got any progress or does the suggestion help you some? If there is
anything else we can help, plese feel free to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

thanks,
I coded the auth page to check for already authenticated as you suggested.
If authenticated, I assume they are not authorized.