0

My ASP.Net app handles authorization with roles just fine, but when someone reaches an unauthorized page, he is kicked back to the login page without any sort of warning.

Is there a way of passing a message to the default login page? Alternatively, is there a way to have an authorization failure redirect to a page that's not the default login page (while maintaining the default page when authorization is needed for the first time)?

I think some of you are misunderstanding what I have. Here is my login.aspx:

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>

<script runat="server">
void Logon_Click(object sender, EventArgs e)
{
    if (Membership.ValidateUser(Username.Text, Password.Text))
    {
        FormsAuthentication.RedirectFromLoginPage(Username.Text, false);
    }
    else
    {
        Msg.Text = "Your user name or password is incorrect";
    }
}
</script>

<html>
<head id="Head1" runat="server">
  <title>Login Screen</title>
</head>
<body>
  <form id="form1" runat="server">
    <div style="text-align:center;">    
    <h3>You must be logged in to use this application</h3>
    <table>
      <tr>
        <td>
          User Name:</td>
        <td>
          <asp:TextBox ID="Username" runat="server" /></td>
        <td>
          <asp:RequiredFieldValidator ID="RequiredFieldValidator1" 
            ControlToValidate="Username"
            Display="Dynamic" 
            ErrorMessage="User Name needs to be filled in"
            runat="server" />
        </td>
      </tr>
      <tr>
        <td>
          Password:</td>
        <td>
          <asp:TextBox ID="Password" TextMode="Password" 
             runat="server" />
        </td>
        <td>
          <asp:RequiredFieldValidator ID="RequiredFieldValidator2" 
            ControlToValidate="Password"
            ErrorMessage="Password needs to be filled in"
            runat="server" />
        </td>
      </tr>
    </table>
    <asp:Button ID="Submit1" OnClick="Logon_Click" Text="Log On" 
       runat="server" />
    <p>
      <asp:Label ID="Msg" ForeColor="red" runat="server" />
    </p>
    </div>
  </form>
</body>
</html>

and here is the "admin" controller page:

namespace MyApp.Controllers
{
    public class AdminController : Controller
    {
        [Authorize(Roles="SuperUser")]
        public ActionResult Index()
        {
            return View();
        }
    }
}

If the person who logged in is in the system but does not have the SuperUser role, it returns to the login screen - what I want to do is, I want the user to differentiate between the login screen showing up because the user hasn't logged in yet and the screen showing up because the user did not have the correct role.

Actually, what I want to do for an unauthorized user is to display a separate screen that displays a message and then lets the user return to the app's home screen.

Don Del Grande
  • 411
  • 6
  • 20
  • you can check your return url parameter, based on that you may display a message in the login screen – pedrommuller Sep 26 '13 at 17:06
  • It turns out that what I am trying to do is [this](http://stackoverflow.com/questions/7447705/asp-net-redirect-to-error-page-if-roles-authorization-fails). – Don Del Grande Sep 26 '13 at 17:56

2 Answers2

2

Create a class derived from AuthorizeAttribute and override the method: HandleUnauthorizedRequest

using System.Web.Mvc;
using System.Web.UI.WebControls;

namespace MvcAttributes.Infrastructure.customAttributes
{
    public class MyAuthorizeAttribute : AuthorizeAttribute
    {
        protected override void HandleUnauthorizedRequest(AuthorizationContext context)
        {
            // redirect to your Error page
            context.Result =new  RedirectResult("/UnauthorizedRequest.html");
            // if you want to redirect to some action, use: 
             //   new RedirectResult("/UnAuthorizedUsers/ErrorDetails");

        }
    }
}

and apply MyAuthorizeAttribute as shown below:

[MyAuthorizeAttribute]
public class ProductController :Controller
{
R.C
  • 10,417
  • 2
  • 35
  • 48
0

You can use the ContentResult to return a plain string:

In MVC, how do I return a string result?

if bAuthorized
{
    return Content("Unauthorized.");
}

assuming your function looks like this:

function isAuthorized() {
    $.ajax({
        url: '/Home/isAuthorized',
        type: "POST",
        data: "some data",
        success: function (ret) {
            $("#displayresult").html(ret);
        },
        error: function (ret) {
            $("#cdisplayresult").text("Something went wrong!");
        }
    });
}
Community
  • 1
  • 1
qxixp
  • 131
  • 1
  • 7