<< "Page cannot be found" when browsing aspx pages in Windows Server 2003 with IIS 6.0 | Home

Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Hi,

When using Forms Authentication with Role Based Authorization, we can restrict users based on their role for different directories/pages.

However, if an user who doesn't have authorization to view a page, tries to view the same, he will be directed to the Login page with a ReturnUrl parameter, despite the user already being logged in.

That doesnt give any idea to the user as to why he is getting directed to the same login page while he has already logged in and doesnt give him the message that he is not an authorized person to view that page.

However, we would like to take them to a Custom "You are not authorized to view this section" page.

This can be achieved by a little tweaking of code in the login page.

In the Page_Load event of the Login page, you can check if the User is Authenticated and if the querystring for ReturnURL is not null. Then we can get an idea that the user has tried to view an unauthorized section and has been directed to login page.

So if both the above conditions are true, you can safely response.redirect them to your custom "Not authorized" page.

The code for the same is as follows:-

if(User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != null)
{
Response.Redirect("NotAuthorized.aspx");
}

The above is not the only solution and this can be handled using custom HTTP handler events. However, I found this to be a simpler, quicker solution with much less coding effort.

posted @ Monday, April 25, 2005 7:38 AM

Print

Comments on this entry:

# re: Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Left by Duncan Millard at 8/31/2005 11:12 AM
Gravatar
Harish,

I tried this approach but consider the following sequence of events:

Try to access a protected resource before you are logged on
ASP.NET Auto-redirects you to the login page
You log in and are redirected to the protected resource that you do have permission to view
Then hit the "back" button

- You will get redirected to the Not Authorized page instead of having the login screen displayed again. I'm not sure how to get around this!

# re: Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Left by Jerry Leong at 4/13/2006 2:40 AM
Gravatar
If you do not mind "hard coding" the destination url after a user login, this problem can easily be solved.

Insert these codes in the login page.

Protected Sub Login1_LoggedIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.LoggedIn
Response.Redirect("default.aspx")
End Sub

By doing so, the unauthenticated user will ALWAYS redirected to the default page, instead of the unauthorized page.

Cheers

# No Redirecting

Left by Rafail Ahmadisheff at 12/23/2007 4:55 AM
Gravatar
In the login page I positioned a short message, explaining the user why (s)he is invited to enter login/password yet again.

( Of course, in the Page_Load event I make this explanation visible or ivisible depending on the condition described above: Panel1.Visible = (User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != null); )

# re: Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Left by Jason at 7/1/2009 5:06 PM
Gravatar
Just put the code in an "if (!IsPostBack)" block and this should handle the redirection case where a user enters a protected page that he has access to before logging in. Hope this helps.

Your comment:



 (will not be displayed)


 
 
 
 

Live Comment Preview:

 
«July»
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678





About
Twitter











Archives
Post Categories
Blogs I read
Syndication:

RSS ATOM