I created different roles (such as Admin, Active user, User, ...) in my web system. The user get Authenticated by built in ASP: log in and I've different folder for different user roles.
Any user group have a folder and web config page to allow or denied to access the folder's pages.
Now my question is:
How to redirect a user from a page that not have a permission to see it, to another page like access denied.aspx page?
for more info:
I want when a "user" click on the manager's page, it redirect to access denied.aspx page.
Note:
If exit a way to don't show manager's page for user group, please say that.
Put this in masterpage
if (!(HttpContext.Current.User.IsInRole("Admin")))
{
Response.Redirect("UnAuthenticatedUser.aspx");
}
in manager's pageload:
if (!User.IsInRole("managers")) {
Response.redirect("denied.aspx")
}
or something like that?
Related
I am currently working on a web application that requires users to login using a single sigin in which is inc-operated into active directory within the active directory login, i want an administrator to have administrative rights to access an admin page within the web based application and the normal user to have access to another page which has read only access
You can actually control it from the database. For example, You can return a value from based on the user. if value = something, Redirect to 'first' else if value = another, Redirect to 'second' like this.
You can do this with claims-based auth. I suggest you look at the following:
https://aadguide.azurewebsites.net/claims/
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-roleclaims/
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios#claims-in-azure-ad-security-tokens
I have a SharePoint server 2013. And i have added site-pages in that, now i want the home page (www.xyz.com) to be accessible to all users regardless they have been added to the groups/authenticated users.
Except the home page the only the registered users should have access to content/other pages. Otherwise SharePoint should give a message you don't have access or this page hasn't shared with you when an unauthorized user tries to access the rest of the site-pages.
I already tried NTAuthority command to define setting on Home page but for that the user needs to have the exact path of the webpage (www.xyz.com/main.aspx) otherwise it's not working with just (www.xyz.com).
Either the user is getting all the access or none.
Kindly refer this link for more info. It is somewhat similar to what i need.
Sharepoint-Add permission to to all authenticated users
What are the ways to notify user that he does not have permissions to access a page?
What I already started is that I made an error page with "no permissions" message and user will be redirected if he does not have permissions on this page.
I don't know if this is the official or the best way.
Another place that what should I do in the UserControl case, for example, when I have a user control to browse the employees and I don't want to prevent the user in everytime the user control is used. I would prefer to process the permissions from one place (inside the user control's code).
Any ideas will be approciated.
Thanks.
I would suggest you make a custom page and redirect the user to that page if that user is not in certain role...
Put this condition in master page:
if (!(HttpContext.Current.User.IsInRole("Admin"))
{
Response.Redirect("UnAuthenticatedUser.aspx");
}
You have many options including:
Option1: Redirect user to a page that you have created for such purpose ..
Response.Redirect("ErrorPage.aspx");
Option2: Throw an exception then handle it in an appropriate way..
throw new Excepion("Exception Message");
I usualy set the value of the Visible property for the control that user does not have permissions on them to false .
You can use the authorization section in the web.config
It would all depend on how fine grained your permissions are. Based on permissions set, sometimes it may not make sense to show the entire page while other times, you need to disable and/or make readonly and/or hide part of UI. For example, lets say, there are two permissions, view user details and add/edit user details. So if view permission is not present then navigating to user details page, one should redirect user to a common error page stating something like "Insufficient Permissions". On the other hand, if view permission is there but no edit permission then one can see user details but button/links such as Edit/Detele should be hidden/disabled (or you may show user details in read-only format etc).
Typically, I prefer to fetch entire user permission set on login and cache it into application wide context classes (generally user specific context gets backed by session state). The permission set would have methods to check against specific permission. Then the base page (all pages would be derived from one common base page - intermediate base pages are possible for different concerns) would check if view permission for the page is present (the permission is obtained via a virtual method that interested page overrides to supply) and if not then user is redirected to common error page. Adjusting specific UI as per permissions is left to the individual pages (although there can be cases where pages may have common templates and even share that piece of code via another base page).
I am building a ASP.NET website that has members pages. I have created a folder where I keep the members pages in and that can only be accessed by logging in or creating a new account. The problem is how do I make the url of these members pages secure, so that someone cant simply give the url to another user for them to copy into a browser or bookmark. Any suggestions greatly appreciated.
In web.config you need specify that this folder for permitted user only.
To grant individual security (person against person) just add checking (for example at Page_Load) that member is permitted to see this page and throw HttException with code 403 (forbidden)
You can do this through the Authentication element in your web.config.
http://support.microsoft.com/kb/316871 has details on this but roughly you will add things that look like this:
<location path="subdir1">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This will deny access to that subdir to all anonymous users.
To quote the MSDN page above:
When using forms-based authentication
in ASP.NET applications, only
authenticated users are granted access
to pages in the application.
Unauthenticated users are
automatically redirected to the page
specified by the loginUrl attribute of
the Web.config file where they can
submit their credentials. In some
cases, you may want to permit users to
access certain pages in an application
without requiring authentication.
Edit:
In response to your edit of testing user pages then there are two ways I can think of that this might work. If the page is specific to a given user then you can just make sure that in the code rather than getting the user details from the url that you look up who the logged in user is and give them their page. So for example if you are currently looking at members/mypage.aspx?user=bob then instead just link to members/mypage.aspx and in the code get the name of the logged in user to use. Then there is no way to tell the code that you want Bob's page without being Bob.
In the more likely event that you have groups of users (eg admin) that can see a page then you will need to put some code on your page to check permissions. For a given page you will need to work out who can view it somehow (eg by lookign up that page against the allowed user roles to get a list of roles) and then check if the logged in user is in that list of who can view (does the user have one of those roles.
eg Bob is an admin and Frank isn't. When going to your admin.aspx page you first of all lookup admin.aspx and find out that roles Admin and SuperAdmin are allowed to view it. You then look up the logged in user and iterate through their roles til you find one in the allowed roles list. If you find one process the page as normal, if you don't then either redirect somewhere else or throw an exception (eg throw your own MyAccessDeniedException that gets caught in your global event handler and shows a message explaining the user doesn't have permissions).
All of this can be done in a base class of your page to prevent you having to include the code on every page. That is you can create MyPage that inherits from Page and in the onload (or oninit or wherever you fancy) of MyPage run this security check. Then all the pages of your site inherit from MyPage instead of Page and you immediately get the functionality on all pages.
Hopefully this answers your questions.
I am trying to manually implement a login system in ASP.NET 3.5. Basically, on load, I would like the site to check and see if user object is active, if not, than I want the login page to appear.
After user has logged in successfully, I would like the user to be able to access the same page he has requested originally.
for example:
user request to: MyPage.aspx - not logged in
login page appears instead of MyPage.aspx
user logs in successfully
MyPage.aspx appears instead of Default.aspx for example
Peering at the System.Net namespace, I see that there is an "HttpWebRequest Class" which has a "HttpWebRequest.AllowAutoRedirect Property" but am unsure how that would get me back from the login page.
NOTE: I know there are automatic authentication systems setup in ASP.NET, but I would like to have manual control over the database.
-- Tomek
What you could do, if you don't want to actually use the built in Forms Authentcation is:
Check if the user is authenticated on each page you want to hide from anonymous users. If they are not authenticated, redirect them to your login page with the URL in the query string.
if(!HttpContext.Current.User.Identity.IsAuthenticated) {
Response.Redirect(~/login.aspx?redirect=this_page.aspx");
}
Then on your login page, after a user logs in. Check the query string to see if there is a redirect parameter.
if(!String.IsNullorEmpty(Request.QueryString["redirect"]) {
string url = ResolveClientURL(redirect);
Response.Redirect(url);
}
Of course this is all built into .NET using Authentication, where you can deny anonymous access to certain directories, and when you do that, .NET will redirect to your login page (which is set in the web.config) and will include a "ReturnURL=blahblah" on your login page.
Just an FYI.
Just save the originally requested url in Session or a hidden field on the login page
After successful login, use Server.Transfer or Response.Redirect to jump to that page.
It looks like another method is described here. It seems that you can use the following object to return from the login page:
FormsAuthentication.RedirectFromLoginPage
Yet, according to the article, the better method is to use what JackM described, but with an overload:
Response.Redirect("~/default.aspx", false);
In doing so, you prevent the Session from ending when the page is redirected.