未经授权的访问，并且不重定向到登录页面 [英] Unauthorized access and NOT redirecting to the login page

问题描述

我的网站正在使用表单身份验证.我在根web.config中具有此名称(出于安全目的进行了一些更改):

My website is using forms authentication. I have this in the root web.config (with some changes for security purposes):

<authentication mode="Forms">
  <forms loginUrl="~/Login/Default.aspx" name=".MyAuthCookie" 

    defaultUrl="~/Secured/Default.aspx" enableCrossAppRedirects="true" 

    protection="All" path="/" timeout="30" />
</authentication>

这非常有用:当未经身份验证的用户尝试访问该站点时，会将其定向到登录页面.

我有几个文件夹使用它们自己的非常短的web.config文件来限制，如下所示:

This works great: when an unauthenticated user tries to access the site, he is directed to the login page.

I have several folders that are restricted using their own very short web.config files, like this:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization lockItem="true">
      <allow roles="Administrator, Executive"/>
      <allow users="User1, User2"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

这也很好用:当除允许的用户或角色之外的其他人尝试访问文件夹中的文件时，他们将被拒绝.

我的问题是，IIS将拒绝的用户视为未经身份验证的用户，并将其重定向到登录页面.我想要的行为是认识到他已通过身份验证，只是未经授权，然后将他重定向到显示权限被拒绝"的页面.

我启用了自定义错误，并且401状态被重定向到名为"NoPermission.aspx"的页面.不幸的是，它没有被抓住.

This also works great: when someone other than an allowed user or role tries to access a file in the folder, they are denied.

My problem is that IIS treats the denied user as if he was unauthenticated, and redirects him to the login page. The behavior I want is to recognize that he is authenticated, just not authorized, and redirect him to a page that says "Permission denied."

I have custom errors enabled, and the 401 status is redirected to a page called "NoPermission.aspx". Unfortunately, it is not being caught.

Suggestions?

推荐答案

UrlAuthorizationModule负责授权，并且只能在global.asax文件中处理. 在您的global.asax文件中添加以下代码-

The UrlAuthorizationModule takes care of the authorization and this can be handled only in global.asax file.
In your global.asax file add the following code -

void Application_AuthorizeRequest(Object sender, EventArgs e)
    {
        if (Request.IsAuthenticated && (Request.HttpMethod == "GET") &&  !string.IsNullOrEmpty(Request["ReturnUrl"]))
        {
            Response.Redirect("~/NoAccess.aspx");
        }
    }

这篇关于未经授权的访问，并且不重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！