An ASP.NET Blog
I work for Microsoft and help people and businesses make better use of technolgy to realize their full potential. The opinions mentioned herein are solely mine and do not reflect those of my employer.

Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Monday, April 25, 2005 7:38 AM
Hi,

When using Forms Authentication with Role Based Authorization, we can restrict users based on their role for different directories/pages.

However, if an user who doesn't have authorization to view a page, tries to view the same, he will be directed to the Login page with a ReturnUrl parameter, despite the user already being logged in.

That doesnt give any idea to the user as to why he is getting directed to the same login page while he has already logged in and doesnt give him the message that he is not an authorized person to view that page.

However, we would like to take them to a Custom "You are not authorized to view this section" page.

This can be achieved by a little tweaking of code in the login page.

In the Page_Load event of the Login page, you can check if the User is Authenticated and if the querystring for ReturnURL is not null. Then we can get an idea that the user has tried to view an unauthorized section and has been directed to login page.

So if both the above conditions are true, you can safely response.redirect them to your custom "Not authorized" page.

The code for the same is as follows:-

if(User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != null)
{
Response.Redirect("NotAuthorized.aspx");
}

The above is not the only solution and this can be handled using custom HTTP handler events. However, I found this to be a simpler, quicker solution with much less coding effort.

Feedback

# re: Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

Harish,

I tried this approach but consider the following sequence of events:

Try to access a protected resource before you are logged on
ASP.NET Auto-redirects you to the login page
You log in and are redirected to the protected resource that you do have permission to view
Then hit the "back" button

- You will get redirected to the Not Authorized page instead of having the login screen displayed again. I'm not sure how to get around this!

8/31/2005 11:12 AM | Duncan Millard

# re: Redirecting users to Custom "Not Authorized" page while implementing Role Based Authorization.

If you do not mind "hard coding" the destination url after a user login, this problem can easily be solved.

Insert these codes in the login page.

Protected Sub Login1_LoggedIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.LoggedIn
Response.Redirect("default.aspx")
End Sub

By doing so, the unauthenticated user will ALWAYS redirected to the default page, instead of the unauthorized page.

Cheers 4/13/2006 2:40 AM | Jerry Leong

# No Redirecting

In the login page I positioned a short message, explaining the user why (s)he is invited to enter login/password yet again.

( Of course, in the Page_Load event I make this explanation visible or ivisible depending on the condition described above: Panel1.Visible = (User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != null); ) 12/23/2007 4:55 AM | Rafail Ahmadisheff

Post a comment





 

Please add 6 and 8 and type the answer here: