tags:

views:

30

answers:

3
Q: 

ASP.NET membership can I get a directory to return 403?

I have an existing app that I've been doing some authentication work on (fixing some long standing issues) and I'm happy enough with the login redirection under normal circumstances. For IIS7 I'm implementing an authorization HttpModule that I'm running on the whole IIS7 pipeline.

This works great but I'd like to get some subdirectories (actually virtual directories) of the main site to return 403 instead of a redirect. Is it possible to do this without implementing my own authentication module?

I've seen Sky Sanders work (code poet) but I'd like to avoid that if I can.

http://www.codeproject.com/Articles/39062/Salient-Web-Security-AccessControlModule.aspx

It feels like something clever with a <location=""> section should work but I can't figure out how to do that (or if it's even possible).

A: 

Try creating a separate web.config for the sub directories and denying access to them (sub directory) using the deny verb in the sub directory's web.config. Something like deny="?" (? is the verb that identifies authenticated users). If you want a 403 for everybody try * instead of ?. I think this should work.

Sidharth Panwar  2010-09-06 13:37:01
Sadly that doesn't work (well at least not for me), you just get redirected back to the login page.
PeterI  2010-09-06 14:14:09
Try setting <customerrors mode="off"> in the sub directory's web.config.
Sidharth Panwar  2010-09-06 15:24:17
Nope adding (correcting the case to customErrors) that doesn't help either. Still get a redirection.
PeterI  2010-09-06 15:38:41
A: 

Take a look here where I'm actually trying to PREVENT an error 403. Having taken a second look I'm not sure how you could use it in your situation but it might throw some light on a different way of manipulating server responses.

m.edmondson  2010-09-06 14:33:36
Nearly but if I'm doing that then the way Sky does it is probably better. However I'd 'forgotten' about global.asax might be worth a look.
PeterI  2010-09-06 15:03:19
A: 

Try this: 

<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm"/>
            <error statusCode="404" redirect="FileNotFound.htm"/>
</customErrors>

(Source: MSDN)

If this doesn't cut it, also add this in your Global.asax:

void Application_EndRequest(object sender, EventArgs e)
{
    // if login failed then display user friendly error page.
    if (Response.StatusCode == 403)
    {
        Response.ClearContent();
        Server.Transfer("~/Common/Errors/AccessDenied.html");
    }
}

Hope this works.

Sidharth Panwar  2010-09-06 17:38:27

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps