ansaurus

Question

Answer 1

A:

If it fails authorization it will throw an exception. It must be passing. What are you using for authentication? Have you disabled anonymous access?

Ryan 2010-08-06 15:46:20

Are u sure, because when I use false role, I am redirected to the login page!!, what is chances? anonymous access is disabled.

Costa 2010-08-07 15:53:08

I didn't realize you had redirection setup for an authentication failure. What type of authentication are you using?

Ryan 2010-08-09 16:30:24

asp.net Form authentication

Costa 2010-08-23 06:10:12

Answer 2

A:

Perhaps you could make use of a site map. More on those here, plus a bit about tying security to them here.

2010-09-01 19:59:32

Answer 3

+1 A:

Use the following code in your Login page to redirect the user to either an unauthorized page or the default page.

    protected void Page_Load( object sender, EventArgs e )
    {
        if( Page.IsPostBack )
            return;

        if( !Request.IsAuthenticated )
            return;

        if( !string.IsNullOrEmpty( Request.QueryString["ReturnUrl"] ) && !UrlAuthorizationModule.CheckUrlAccessForPrincipal(Request.QueryString["ReturnUrl"], User,"GET"))
        {
            // In Forms Authentication, authenticated but unauthorized requests are converted into a Redirect to the Login page.  
            // Redirect these to an error page instead.
            Response.Redirect( "~/UnauthorizedAccess.aspx", false );
        }
        else
        {
            Response.Redirect( FormsAuthentication.DefaultUrl, false );
        }
    }

See this link for a picture of what's happening and more info:

http://www.asp.net/security/tutorials/user-based-authorization-cs

Greg 2010-09-01 20:47:29

inappropriate use of copyrighted material.

Sky Sanders 2010-09-04 02:41:41

I removed the image you are referring to, code poet.

Greg 2010-09-04 22:30:15

Answer 4

A:

It's also possible to use web.config to set up permissions for various folders or files. Each folder could have a list of allows or denys like so:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Administrators" />
      <allow roles="Random Role" />
      <deny users="*" />
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

Then when someone hits the page that requires authorization that they don't have permission for it will redirect them to your login page. You could then check the query string for the page they came from and perhaps set up case specific responses, or at the very least if it has a returnURL page on it, say "You are not authorized to see this page."

Delebrin 2010-09-01 20:54:10

ansaurus

tags:

views:

answers:

Role based authorization

related questions