1

I am trying to use Role based authorization in declarative way, when unauthorized user attempt to access a page, it never fire an exception or show the user an error message. What I should do to show unauthorized message? is that possible in declarative way?

using coding is not a nice option sense I have several roles, and folder authorized for several roles while other folders are authorized for one role.

thanks

Costa
  • 3,897
  • 13
  • 48
  • 81
  • Could you should use how you've configured it? What does it do instead of showing an error? – Greg Sep 01 '10 at 20:16
  • your question is not clearly defined. there are well defined mechanisms in place to perform declarative access control but in standard asp.net none of them will result in a 503. The most you can hope for is a non-descript redirect to the login page. this can be problematic and unsatisfactory in many scenarios. please more clearly define what it is that you are trying to do and what measures that you have heretofore taken to accomplish this. – Sky Sanders Sep 04 '10 at 02:45

4 Answers4

3

Use the following code in your Login page to redirect the user to either an unauthorized page or the default page.

    protected void Page_Load( object sender, EventArgs e )
    {
        if( Page.IsPostBack )
            return;

        if( !Request.IsAuthenticated )
            return;

        if( !string.IsNullOrEmpty( Request.QueryString["ReturnUrl"] ) && !UrlAuthorizationModule.CheckUrlAccessForPrincipal(Request.QueryString["ReturnUrl"], User,"GET"))
        {
            // In Forms Authentication, authenticated but unauthorized requests are converted into a Redirect to the Login page.  
            // Redirect these to an error page instead.
            Response.Redirect( "~/UnauthorizedAccess.aspx", false );
        }
        else
        {
            Response.Redirect( FormsAuthentication.DefaultUrl, false );
        }
    }

See this link for a picture of what's happening and more info:

http://www.asp.net/security/tutorials/user-based-authorization-cs

Greg
  • 16,540
  • 9
  • 51
  • 97
  • @Sky Sanders: I've removed the material you're referring to, I think. If not, please provide further details. – Greg Nov 30 '10 at 17:15
0

If it fails authorization it will throw an exception. It must be passing. What are you using for authentication? Have you disabled anonymous access?

Ryan
  • 178
  • 1
  • 5
  • Are u sure, because when I use false role, I am redirected to the login page!!, what is chances? anonymous access is disabled. – Costa Aug 07 '10 at 15:53
  • I didn't realize you had redirection setup for an authentication failure. What type of authentication are you using? – Ryan Aug 09 '10 at 16:30
0

Perhaps you could make use of a site map. More on those here, plus a bit about tying security to them here.

0

It's also possible to use web.config to set up permissions for various folders or files. Each folder could have a list of allows or denys like so: 

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Administrators" />
      <allow roles="Random Role" />
      <deny users="*" />
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

Then when someone hits the page that requires authorization that they don't have permission for it will redirect them to your login page. You could then check the query string for the page they came from and perhaps set up case specific responses, or at the very least if it has a returnURL page on it, say "You are not authorized to see this page."

Delebrin
  • 1,049
  • 4
  • 11
  • 19