ASP.NET: Authenticated but not Authorized

Monday, December 4, 2006

Does anyone know if there is a built-in way to trigger the Membership/Roles/FormsAuth system to redirect to a separate page if the current user is authenticated, but not authorized to view the current page? Right now I'm handling Application.Authenticate and checking UrlAuthorizationModule.CheckUrlAccessForPrincipal, but I'm not sure that's the best way, and it's not as clean as I'd like. Thanks!

1 Comment

Since the status code will be set to 401 you could use the customErrors section to redirect to a aspx page but if the authentication fails the status code will be set to 401 as well. Therefore in the ASPX where you redirect to you could check if the IsAuthenticated flag is set to true for the current request.

It would off course had been better if Microsoft would make sure that the PostAuthorizeEvent would always be raised regardless whether or not the user is authorized.

glozano - Monday, December 4, 2006 10:12:13 AM

Comments have been disabled for this content.