1

We have a custom ASP.NET role provider implemented in our website (.net4, IIS 7.5, VS 2010, all pretty stock stuff). My question is how to handle or intercept the role provider redirect when the user is denied access to a page?

Let me be clear. The role provider is working correctly. We created web.config files in various subdirectories of our website that add the appropriate elements/attributes for access. So let's say I try to access a page in a subdir that I don't have a role for... right now, the role provider redirects me to our Login page (presumably coming off the web.config values for our Membership provider as well).

What I want to do, however, is redirect the user to a custom "Access Denied" page of our choosing, not the login page.

Based on many google searches, I tried a few things that simply did not work.

For example, one person suggested adding a custom Application_Error method to the global.asax file. Tried that, it never got hit.

Also tried adding to the customErrors section in web.config:

<error statusCode="401" redirect="AccessDenied.aspx" />

Again, that never worked.

As many debug breakpoints I put in, the best I can tell is that the role provider is doing its thing much earlier in the lifecycle than I can catch and is automatically redirecting to our login page.

Any thoughts on how to intercept this would be greatly appreciated.

Thanks.

Ash Burlaczenko
  • 24,778
  • 15
  • 68
  • 99
Margo Noreen
  • 396
  • 1
  • 3
  • 12
  • The _Custom Authorize Attribute_ solution presented in http://stackoverflow.com/a/4664529/110164 should help, I would think. Then you could override `HandleUnauthorizedRequest` to redirect wherever you like. – Chris Nielsen Oct 17 '12 at 22:12

1 Answers1

1

When a user doesn't have access because of something within the database, it redirects to the loginUrl specified in the forms config element as:

<forms loginUrl="login.aspx" />

The only item I have in mind is if you are at the login page, the this.User.Identity.IsAuthenticated property is true, the user got there because they were redirected for one of these issues. So then you can redirect to the AccessDenied.aspx page. This will work if an authenticated user is being redirected to login ONLY for denial. Otherwise, if you need to send them to a variety of places, the only thing I can think of is dump the in-built redirection feature, in global.asax, add the Application_AcquireRequestState handler or at some other point (depending on if you need access to session or not), and check the user's permissions, and redirect them accordingly (via HttpContext.Current.Response.Redirect).

Brian Mains
  • 50,520
  • 35
  • 148
  • 257
  • Thanks Brian, but there is another case that the login page has been hit, and that's what we discovered and are trying to intelligently deal with... That is, let's say I login for the 1st time. Great, no problem there. Then I bring up a new browser tab (in IE or Chrome or whatever) which seems to retain session state. Now let's say I have a bookmark for this website that happens to be the login page. I click that bookmark/favorite in my new tab window. Now, IsAuthenticated is true, but I got there on my own, not by the Role Provider bouncing me ... – Margo Noreen Jan 09 '12 at 19:15
  • OK, so if the user gets to the login page, you want them redirected to the not authorized page? – Brian Mains Jan 09 '12 at 20:54
  • Right. If an already authenticated user has reached the login page (ostensibly from opening up a new browser tab and clicking a bookmark to the login page), that's OK. If the Role Provider is kicking in and bouncing a user due to a permission issue, I want them to go to a custom page, not the login page. I don't see how to detect this case by the time the login page is requested. – Margo Noreen Jan 10 '12 at 19:14