Thanks for the response Scott.
>It sounds like what you are saying is that you want to
be able to
configure multiple loginUrl endpoints within >the
<authentication->forms> element within the
web.config file.
This is essentially correct. As I was stating before, I have
two
sections of my site that require authentication to access.
One is for
"customers" and the other is for
"admins" and each has its own specific
folder. What I wanted to do was use forms authentication and
have
separate login pages specified in the config file for each
restricted
folder.
The reasoning for this is that the login logic is different
for each
group. Different wording, methods, tables, etc. From my
research I can
only specify one login page in the config file. If this is
wrong, please
let me know.
As a workaround, I put the login logic and controls for each
group into
separate user controls and have just one sign-in page. On
page load, I
check where the user is trying to go (custom or admin area),
via the
ReturnUrl value and serve up the correct user control. I
have also
customized the forms authentication to utilize roles. Upon
being
verified as either a customer or admin, the role gets added
to the
encrypted cookie and associated with the User.Identity in
the
Application_AuthenticateRequest event handler.
My web.config file looks like this:
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="myaccount">
<system.web>
<authorization>
<allow roles="Customer" />
<deny users="*" />
</authorization>
</system.web>
</location>
It would be nice to be able to override the default login
page if a user
tries to go to a different part of the site. I would assume
this would
be done in an Authentication section of the location
element. I'm not
the first to want this feature, as there were many people
requesting
this option on Google. Perhaps it is something that might
find its way
into a future version of ASP.NET.
Where I think this is confusing is that MS assumes all
possible users
are stored with their role information in one common
repository. In my
case, they are in different repositories and the two will
never overlap.
There will never be a user that is both an admin and a
customer. They
are entirely unrelated entities.
Thanks for the response though. It's always nice to hear
from the people
who design the tools we use.
Brian
-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailto OTNET-WE
B DISCUSS.DEVELOP.COM] On Behalf Of Scott Guthrie
Sent: Wednesday, April 12, 2006 12:46 PM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] Multiple Login Pages?
I'm a little confused -- what is the feature you are
looking to have
added?
You can have multiple login pages today, each with their own
semantics.
So that is supported. You can also optionally configure
membership
providers to go against multiple credential stores.
It sounds like what you are saying is that you want to be
able to
configure multiple loginUrl endpoints within the
<authentication->forms>
element within the web.config file. What isn't clear to me
is what the
semantic should be with this.
Today when you access a page for the first time that
requires you to
authenticate, ASP.NET uses this configured url to send you
to the
specified login.aspx page. It sounds like you want to
optionally send
admins to a different page. But it isn't clear to me how
ASP.NET itself
would be able to identify whether your user is a normal user
or admin if
they aren't logged in yet?
Note that you could add your own custom code today to the
site to
identify them someway custom (although you'd want to be
very careful --
since in the absence of an encrypted authentication ticket
you want to
make sure this can't be spoofed).
Thanks,
Scott
-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Brian Vallelunga
Sent: Wednesday, April 12, 2006 8:02 AM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] Multiple Login Pages?
Since the admins will be requesting pages under /admin/ and
the
customers pages under /account/ I will simply check the
requested page
and show the appropriate text and using the appropriate
validation
routines. The sign-in will put people into various roles as
well, with
the config file controlling access to the various
directories.
Thanks for the help and I hope MS adds this feature in the
future.
Brian
-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Mike Andrews
Sent: Wednesday, April 12, 2006 10:29 AM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: Re: [DOTNET-WEB] Multiple Login Pages?
As Ryan suggested, you can either use the same login page or
two
different ones.
The only way you could use the same login page is if all of
your logins
are validated by the method which returns a validated user.
The you
will know if your validated user is an admin or a regular
user thereby
allowing you to redirect to a specified location. You can
also use the
web.config file to designated particular directories for
access to only
specific users.
Alternatively, you can create two web projects with two
web.config
files.
Later,
Mike
On 4/12/06, Brian Vallelunga <brianvallelunga.com> wrote:
>
> Nothing sensitive, just text saying something like
"To administer your
> site, please login." What I will do is check the
url they are trying
> to reach and display the appropriate text. That should
work as an
> appropriate workaround.
>
> Brian
>
> -----Original Message-----
> From: Discussion of building .NET applications targeted
for the Web
> [mailtoOTNET-WE
BDISCUSS.DEVELOP.COM] On Behalf Of Ryan Heath
> Sent: Wednesday, April 12, 2006 3:13 AM
> To: DOTNET-WEBDISCUSS.DEVELOP.COM
> Subject: Re: [DOTNET-WEB] Multiple Login Pages?
>
> Hi,
>
> You can of course create your own login page (for
admins) but they
> will have to navigate themselves to that login page
since asp.net
> supports only one login page currently. That is it will
always
> redirect to one login page as noted in the web.config.
>
> May I ask what is on that admin login page that should
not belong on
> the customer login page? Because no
"sensitive" information should be
> placed on any login page ..
>
> // Ryan
>
> On 4/11/06, Brian Vallelunga <brianvallelunga.com> wrote:
> > I know this wasn't supported in 1.1, but I
thought 2.0 might allow
> > multiple login pages for use with forms
authentication. I need this
> > ability because I have a "customer"
section of my site and an
"admin"
> > section. The administration section should have a
different login
> > page
>
> > than the customer section.
> >
> > Thanks,
> >
> > Brian
> >
> > ===================================
> > This list is hosted by DevelopMentor(r) http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com
> >
>
> ===================================
> This list is hosted by DevelopMentor(r) http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com
>
> ===================================
> This list is hosted by DevelopMentor(r) http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com
>
===================================
This list is hosted by DevelopMentor(r) http://www.develop.com
View archives and manage your subscription(s) at
http://discuss.develop.com
===================================
This list is hosted by DevelopMentor(r) http://www.develop.com
View archives and manage your subscription(s) at
http://discuss.develop.com
===================================
This list is hosted by DevelopMentor(r) http://www.develop.com
View archives and manage your subscription(s) at
http://discuss.develop.com
===================================
This list is hosted by DevelopMentorŪ http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
|