5

In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?

Improve this question

3 Answers 3

Reset to default
6

The following solution works, although I'm not at all sure it's optimal:

public class HttpAuthenticationRequiredResult : ActionResult
{
    public override void ExecuteResult(ControllerContext context)
    {
        var response = context.HttpContext.Response;
        response.StatusCode = 401;
        response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
        response.Flush();
        response.Close();
    }
}

You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

You can have separate <system.web> sections for separate paths. Here's an example:

<configuration>
  <location path="Foo/Bar.aspx">
    <system.web>
      <authorization>
        <allow roles="GoodGuys" />
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.

In your case, you might want to allow all without authentication:

<configuration>
  <location path="Foo/Bar.aspx">
    <system.web>
      <authentication mode="None" />
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>
Improve this answer

3 Comments

If this were straight-up ASP.NET, that would work, but I'm unclear how to use that technique with ASP.NET MVC. The problem is that the should-return-401 URLs are at myapp/{rout parameter}/tool; there's no way to specify that in system.web, even if I wanted to.
Although this works for the authorization element, it doesn't work for authentication - I get the following error: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.
I get the same error as Ben Laan. I am struggling with FormsAuthentication. It works as intended, but for one page on which some ajax requests happen, I don't want the 401-code to be overridden by a 302 to end up going to the loginpage. The execution should just end with the status code I put on the Response.
0

Had a similar case where I needed to return back something that triggered an undesired redirect (basically a message about how authentication failed and it was redirecting to the login screen without the error information).

This solved the problem:

Response.SuppressFormsAuthenticationRedirect = true;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.