Detecting failed Authorization?

E

excamenia

New Member
[VB.NET/ASP.NET]<BR><BR>I'm trying to get a grasp of using Forms Authentication and I'm getting most everything to work, but I am unable to figure out how to detect if a user is not Authorized to access a certain file or folder. This is how my code works so far:<BR><BR>- A user tries to access a page that is in a folder that requires only people in the role of "Monkeys" can access. If the person has not authenticated, he/she is sent to a login form. Once the login information is submitted, the info is compared to data in a database and if the information is valid, the users Role is set to a cookie called "Roles" for future use... if a user belongs in several roles, the values are seperated by ".".<BR><BR>- The following lines of code are in my Global.asax.vb file to process the Role information to make sure the user has access to the desired file:<BR><BR>********<BR> If Not context.User Is Nothing AndAlso context.User.Identity.IsAuthenticated Then<BR> 'Create a generic identity<BR> Dim userIdentity As GenericIdentity = New &_ GenericIdentity(context.User.Identity.Name, "Forms")<BR> 'Create a generic principal<BR> Dim userPrincipal As GenericPrincipal = New &_<BR>GenericPrincipal(userIdentity, context.Request.Cookies &_("Roles").Value.Split("."))<BR> 'Set the new Principal to the Current User<BR> context.User = userPrincipal<BR> End If<BR>********<BR><BR>If the user does not belong to the role of "Monkey" he/she appears to be redirected back to the login screen, but all previous login information is lost... it's almost as if the session is reset. Therefore, I can't figure out how to display a "friendly message" to the user stating that he/she is not authorized to view the file... he/she just sees the login screen again with no warning.<BR><BR>I'm not sure what other code I should post here. Does anyone know how to detect if Authorization failed or have any suggestions for me?I agree that this is one limitation of Forms-based authentication. What I have done for this situation (and it feels like a bit of a hack) is, on the login page, check to see if the user is logged in (User.Identity.Name.Length > 0). If they are, and they're on the login page, I assume that they attempted to access a resource they didn't have permission to, so I display a friendly message.<BR><BR>hth
 
You must log in or register to reply here.
Back
Top