My website is using forms authentication. I have this in the root
web.config
(with some changes for security purposes):
<authentication mode="Forms">
<forms loginUrl="~/Login/Default.aspx" name=".MyAuthCookie"
defaultUrl="~/Secured/Default.aspx" enableCrossAppRedirects="true"
protection="All" path="/" timeout="30" />
</authentication>
This works great: when an unauthenticated user tries to access the site, he is directed to the login page.
I have several folders that are restricted using their own very short
web.config
files, like this:
="1.0"
<configuration>
<system.web>
<authorization lockItem="true">
<allow roles="Administrator, Executive"/>
<allow users="User1, User2"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
This also works great: when someone other than an allowed user or role tries to access a file in the folder, they are denied.
My problem is that IIS treats the denied user as if he was unauthenticated, and redirects him to the login page. The behavior I want is to recognize that he is authenticated, just not authorized, and redirect him to a page that says "Permission denied."
I have custom errors enabled, and the 401 status is redirected to a page called "NoPermission.aspx". Unfortunately, it is not being caught.
Suggestions?