Role base security and RedirectUrl

  • Thread starter Thread starter RedHair
  • Start date Start date
R

RedHair

I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authentication> element
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.
 
RedHair
I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
Hope that helps
Patrick
 
Thanks.
I hope there is a way to tell user in login page that why he/she be
redirected to login page, because his role or he is anonymous.

if it's due to role security setting, the user will be redirected to login
page again and again without any information because he has a
valid account


RedHair
I think the setting you provided is doing the right thing as only people
with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to
suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the
authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/page...ng-Windows-Authentication-and-SQL-Server.aspx
Hope that helps
Patrick
 
As I recall, there is a way to detect that the forms auth has redirected you
to the logon page in the EndRequest event (in global.asax) and to change
that show a different page instead of doing a redirect. You would need to
execute the logic to test to see if the user is authenticated first as you
need to ensure that the user is being redirected as authenticated but not
authorized as opposed to just "authenticated".

I think if you do some searches you'll find some samples of how to achieve
this. It is a bit of a pain that the built in system isn't a little more
flexible with this.

Joe K.
 
Back
Top