Home/ Questions/Q 938059
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T21:34:47+00:00

So, I’ve implemented my IPrincipal.IsInRole(…) and I’m using FormsAuthentication like so: <authentication mode=Forms> <forms

  • 0

So, I’ve implemented my IPrincipal.IsInRole(…) and I’m using FormsAuthentication like so:

<authentication mode="Forms">
     <forms loginUrl="Login.aspx" name="someName" timeout="600"/>
</authentication>

Then I have a page that requires you to be authenticated and that you have “roleA”. This is configured like so:

 <location path="SomePage.aspx">
  <system.web>
   <authorization>
    <allow roles="roleA" />
    <deny users="*"/>
   </authorization>
  </system.web>
 </location>

Now, I login to my web application, but with a user that does NOT have roleA. When I visit SomePage.aspx I get redirected to Login.aspx, the url specified in loginUrl of the forms element. So, my question is shouldn’t I be able be specify an authorization denied message or url? If the user is authenticated, but not authorized why would I want to redirect to the login page. It’s confusing as hell to the user. Please tell me I am missing something simple.

Thanks for reading!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yeah, this is a little annoying. Maybe someone has a simpler idea, but the solution (hack?) that we came up with was to look for the originally-requested URL that ASP.NET appends to the query string when the user is redirected to the login page.

    We created a new web.config section that stores a set of keys/values that match a fragment of the redirect URL to an authorization message:

    <configSections>
    <section name="authorizationFailureMessages" type="System.Configuration.NameValueSectionHandler, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    ...etc...
</configSections>

<authorizationFailureMessages>
    <add key="MemberResources" value="MembershipRequired" />
    <add key="Staff" value="StaffOnly" />
    <add key="Departments/Administration/BoardOfDirectors" value="BoardOfDirectorsOnly" />
    ...etc...
</authorizationFailureMessages>

    In the Page_Load() event of the Login.aspx page, we call a method that uses this URL to determine which (un)authorization event occurred then redirect them to a message page that displays the appropriate text:

    private void DisplayAppropriateAuthorizationMessage ()
{
    if ( !Page.User.Identity.IsAuthenticated )
        return;

    string redirectUrl = FormsAuthentication.GetRedirectUrl( Page.User.Identity.Name, false );

    if ( string.IsNullOrEmpty( redirectUrl ) )
        return;

    NameValueCollection authorizationFailureMessages = ConfigurationManager.GetSection( "authorizationFailureMessages" ) as NameValueCollection;

    if ( authorizationFailureMessages == null )
        return;

    foreach ( string key in authorizationFailureMessages.AllKeys )
    {
        if ( redirectUrl.Contains( key ) )
        {
            Response.Redirect( String.Format( "Message.aspx?{0}={1}", Constants.QueryStringKeys.ERRORMESSAGENAME, authorizationFailureMessages[ key ] ), true );
        }
    }
}
    • 0