Is it just me or is implementing Role Management and Forms Authentication to be user friendlypainful? I have successfully implemented both together, not painful. but it seems so shotty to me. If a user (in a Role of "BasicUser")is curious and attempts to type in a URL that they do not have access to, for example; http://www.mysite.com/admin User wants to check out the security and see if the admin folder exists (being sneaky). Web.config for the admin folder contains; <system.web> <authorization> <allow roles="Admin" /> <deny users="*" /> </authorization> </system.web> User is not in an "Admin" role,application automatically redirects user to; http://www.mysite/login.aspx?RETURNURL=%2fAdmin%2fDefault.aspx No biggie,so the user types in their credentials again, login page refreshes and nothing... User gets caught in an infinite loop on the login page because they are not in the "Admin" role. Seems to be very user unfriendly... Alternative would we to build out a Base Page for each folder, that had security Role constraints and do something like; Public Sub New() ' Register the PreInit to check Roles AddHandler PreInit, AddressOf AdminBasePage_PreInit End Sub Protected Sub AdminBasePage_PreInit(ByVal sender As Object, ByVal e As EventArgs) Dim profile As ProfileCommon = HttpContext.Current.Profile If Not Roles.IsUserInRole(profile.UserName, "Admin") Then Try HttpContext.Current.Server.Transfer("/UnAuthorized.aspx", False) Catch tex As Threading.ThreadAbortException ' nada End Try End If End Sub Now that seems like a huge performance hit to me... Maybe If Not Page.IsPostBack, but still... What am I missing here? Is there a better way to communicate with the user that, "Hey, nice try bozo, you're not allowed in there!". I have dug and dug on Google and MSDN, but there isn't anyhting that gives a user friendly example, just shove them off to login page with the RETURNURL QueryString and let it ride... Banging Head Against Monitor, Stuck in a BOX... Please chime in and help break this painfully small box I seemed to have stuck myself inside of! Many thanks, BZ
I don't think you can do this using asp.net's role management and forms authentication. asp.net treats a denied user as an anonymous user and will simply deny and prompt for login. You'll probably have to create some sort of custom "fix" for this. Another possible solution could be modifying the forms authentication page. After successful authentication perform a "test" on the returnurl, if they do not have access redirect them to another page. Good luck. If you find a solution, let us know! Joel Thoms DiscountASP.NET http://www.DiscountASP.NET
Many thanks Joel for the input. Here is a resource that I have scoured that has many links on this subject; ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx They all talk about it, even Scott Mitchell on 4guysfromrolla has a two part article where he delves intoMembershipuser- and role-based authorization. What is annoying about there examples that I have toyed with is that the user is prompted for login each time the user request a page in a directory that has specified Roles constraints. The only solution I can see here, to get the desired results I am looking for (more user friendly) is the implementation of a base page, inherits System.Web.UI.Page, and do a manual check in a mehod like I previously posted. I am not sure I like it, but it appears to be the only option for me. Will keep you posted if I find anything else on this, Many thanks, BZ