发表新帖
发表新帖

How to Redirect Users to an ASP.NET page when not Authorized?

前端 未结
关注
6 868
小蘑菇
小蘑菇 2020-12-28 15:33

I need my users are redirected to AuthError.aspx page (\"You don\'t have the access to this page\") in the case when they are authenticated but try to access the page that t

相关标签:
6条回答
  • 清酒与你
    2020-12-28 16:05

    You need to:

    1) enable roles (in web.config): (replace 'xxx' with your own values)

    <roleManager enabled="true">
  <providers>
    <clear />
    <add connectionStringName="ApplicationServices" applicationName="xxx"
      name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
    <add applicationName="xxx" name="AspNetWindowsTokenRoleProvider"
      type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

    2) you need to restrict access to certain areas of your website for specific roles. I actually answered another question today where I explain how to achieve this. Here is the link

    0 讨论(0)
  • 小蘑菇
    2020-12-28 16:09

    On the Page_Load of your login page, you'll want to check if the user is authenticated, and if they are to redirect them to your access denied page:

    protected void Page_Load(object sender, EventArgs e)
{
    if (User.Identity.IsAuthenticated) // if the user is already logged in
    {
            Response.Redirect("~/AccessDenied.aspx");
    }
}

    If you want to get a little fancier, you can check the ReturnUrl parameter to determine if the user came to the page directly (such as through a bookmark they saved right to the login page) and handle that differently. Here's an example:

    protected void Page_Load(object sender, EventArgs e)
    {
        if (User.Identity.IsAuthenticated)
        {

            // if they came to the page directly, ReturnUrl will be null.
            if (String.IsNullOrEmpty(Request["ReturnUrl"]))
            {
                 /* in that case, instead of redirecting, I hide the login 
                    controls and instead display a message saying that are 
                    already logged in. */
            }
            else
            {
            Response.Redirect("~/AccessDenied.aspx");
            }
        }
    }
    0 讨论(0)
  • 长情又很酷
    2020-12-28 16:14

    For me the least hassle most benefit solution to this problem was to create another section (panel) in Login.aspx page with contents to be displayed to users who are authenticated (e.g. logged in) saying "Access denied" instead of the login form. When logged in user hits the page it means they most likely ended up here because they are not authenticated to access the page that redirected them here.

    In the login page I use this very simple code to switch visibility of the panel and login form:

    if (Request.IsAuthenticated)
{
    LoginUser.Visible = false;
    AccessDeniedPanel.Visible = true;
}

    It's dead simple and it works.

    0 讨论(0)
  • 情歌与酒
    2020-12-28 16:16

    You need to distinguish between authentication and authorization. Your code snippet addresses the former ("Am I known to this site") but not the latter ("Am I allowed to access this page").

    As @santiagoIT suggests, roles may be the best solution to implement the authorization you need. Some controls, such as the LoginView are role-aware and authentication-aware, so you can use these to display different content depending on the role that the user is in.

    A common approach is to display different menus to users in the different roles, so that they are only presented with menus which are relevant to their roles - the LoginView is often used for this.

    Alternatively you could control the visibility of the content on individual pages, again using the LoginView, so that users who are not authenticate get one messages, those who are authenticated but not allowed to view the page a second message and those who are both authenticated and allowed to view the page see the content.

    If you simply want to redirect a user who is authenticated but does not have the required access to view a page, you could also check that the user is the the appropriate role (Roles.IsUserInRole) and redirect to the "You do not have access.." page if not.

    If you are really security conscious, you may want to combine the restricted menu/view approach with authorization checking on each page.

    0 讨论(0)
  • 面向向阳花
    2020-12-28 16:20

    You may set a custom error page like this:

    <system.web>
  <customErrors mode="On">        
    <error statusCode="403" redirect="AuthError.aspx" />      
  </customErrors>
</system.web>
    0 讨论(0)
  • 你的背包
    2020-12-28 16:23

    try this :

    suppose you need only admin users to access the specified page of yours then in the page_load you could write this :

    if (User.Identity.IsAuthenticated)
{
   if ( !User.IsInRole("Admin"))
   {
        Server.Transfer("~/AccessDeniedPage.aspx");
   }

}

    and in case you are using routes you could do :

    if (User.Identity.IsAuthenticated)
{
   if ( !User.IsInRole("Admin"))
   {
        Response.RedirectToRoute("AccessDeniedRoute");
   }

}
    0 讨论(0)
 看不清?
提交回复
热议问题