I’m a little bumbed out that there isn’t some kind of
attribute tag that I can put on a <deny> tag to redirect to an “access denied”
page of some sort if an authenticated user doesn’t belong to the proper role. By
default, ASP.NET sends the user back to the login page. So, if I have a folder
underneath the root Web that has a Web.config containing:
<location
path="SomePage.aspx">
<system.web>
<authorization>
<allow
roles="Moderator"
/>
<deny
users="*"/>
</authorization>
</system.web>
</location>
I end up having to write code in the Login page specified
by the root Web.config:
<authentication
mode="Forms">
<forms
loginUrl="Logon.aspx"/>
</authentication>
I’ve gone with this solution so far in the Logon.aspx page…
private
void Page_Load(object
sender, System.EventArgs e)
{
if(!IsPostBack)
{
if(User.Identity.IsAuthenticated
&&
Request.Params["ReturnURL"] !=
null)
{
Response.Redirect("AccessDenied.aspx", false);
}
}
}
Anyone have a better way of doing this?
