One of the tasks I'm assigned on one of our websites to gracefully handle users who are not members of the appropriate AD group. They should (somehow) get a message to the effect:
You do not have rights to this application. If you believe you should have rights, please contact So and So.
We're using Windows authentication ... so in Web.Config I've changed from
<allow users="*" />
with a Location block
Navigating directly to SecurityError.aspx works -- glad SOMETHING does.
But after entering credentials that are for a user who lacks rights, I get through to the other pages ... which then blow up when they try to access the DB.
Having carefully read http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
, I added the following to my Global.asax.vb:
Protected Sub Application_EndRequest(ByV
al sender As Object, _
ByVal e As EventArgs) Handles MyClass.EndRequest
'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
Dim context As HttpContext = HttpContext.Current
, 3).Equals("401")) Then
That appears to have no effect.
Configuring IIS settings is an option for me ... I have to work out the settings on our DEV system & have the admins put them in when we go to PROD ... but that's fine.
But going into the Custom Errors section of the Web Application entry, I set 401.2 to redirect to SecurityError.aspx. No better.
Another developer has told me to allow everybody in Web.Config, but check in the page whether the user is authenticated ... which sounds REALLY wrong.
So ... what is the RIGHT way to do this in ASP.Net?