HttpModule events - intercept sharepoint redirect to accessdenied.aspx

4
votes

For my SharePoint setup I have a a specific user group that does not have access to the frontpage of the site. If they visit it directly, they get the standard "Access denied" page from SharePoint.

I am developing a HttpModule that intercepts visit to the frontpage, checks the current user and redirects him to the sub-site they have access to.

I first tried using the PostAuthorizeRequest, but it seems SharePoint triggers on an earlier event and still redirects to the Access Denied page. I have tested with a user that had access to the frontpage but still be redirected, and there the redirect works fine.

Which event do I need to capture to be able to get the user after they've entered username/password but before SharePoint redirects them?

3
sharepointredirecthttpmodule

3 Answers

3
votes

Instead of catching an "unauthorized" event in your code, I suggest that you go with custom errors. When a user is redirected to the Access denied page, SharePoint is actually throwing an error with the error code "401" (for unauthorized).

In your web.config you can configure the behavior of your application for the 401 errors. If you've ever done an custom error page on a web app, it's the same thing. Look for the CustomError node in your web.config and modify it to something like this : 

<customErrors mode="On" defaultRedirect="~/_layouts/CustomErrorPage.aspx">
  <error statusCode="401" redirect="~/_layouts/AccessDeniedPage.aspx" />
</customErrors>

Then create your CustomErrorPage.aspx and your AccessDeniedPage.aspx and deploy them to the 12 hive.

In the code behind of these pages, you can override the PageLoad event to redirect them wherever you want to : 

protected void Page_Load(object sender, EventArgs e)
{
    bool isLogged = HttpContext.Current.User.Identity.IsAuthenticated;
    Response.Redirect("wherever");
}

Note that at this point you will still have access to the SPContext object if you need it (and i'm assuming you will want to write specific code depending on the group membership of the user).

This is not a SharePoint specific behavior. All ASP.NET apps work that way. Using a site-wide configuration will allow you to only run your code when it needs to run (i.e. when the access is denied) instead of checking for permissions on every page load or something like that.

0
votes

As in SharePoint 2013 we have Bug for configuring Custom Access Denied Page, Explained here how to implement using HTTPModule.

Create HTTPModule Step Wise - Explained with CustomAccessDenied Page in SharePoint 2013

0
votes

Use the SPSecurity.SuppressAccessDeniedRedirectInScope method that is available in the API to prevent SharePoint out of the box redirection. Example of usage - wrap your code in this snippet:

using (SPSecurity.SuppressAccessDeniedRedirectInScope scope = new SPSecurity.SuppressAccessDeniedRedirectInScope()) {
try{
catch (UnauthorizedAccessException ex){
}
}