Reputation: 180878
How do I serve up an Unauthorized page when a user is not in the Authorized Roles?
I am using the Authorize attribute like this:
[Authorize (Roles="Admin, User")]
Public ActionResult Index(int id)
{
// blah
}
When a user is not in the specified roles, I get an error page (resource not found). So I put the HandleError attribute in also.
[Authorize (Roles="Admin, User"), HandleError]
Public ActionResult Index(int id)
{
// blah
}
Now it goes to the Login page, if the user is not in the specified roles.
How do I get it to go to an Unauthorized page instead of the login page, when a user does not meet one of the required roles? And if a different error occurs, how do I distinguish that error from an Unauthorized error and handle it differently?
Upvotes: 41
Views: 29664
Answers (5)
Reputation: 6441
Just override the HandleUnauthorizedRequest method of AuthorizeAttribute. If this method is called, but the user IS authenticated, then you can redirect to your "not authorized" page.
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { Area = "", Controller = "Error", Action = "Unauthorized" }));
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
Upvotes: 0
Reputation: 4702
You could do this in two ways:
Specify the error the HandleError-attribute, and give a view that should be shown:
[HandleError(ExceptionType = typeof(UnAuthorizedException), View = "UnauthorizedError")]
You can specify several different ExceptionTypes and views
- Create a custom ActionFilter, check there for credentials, and redirect to a controller if the user is unauthorized.: http://web.archive.org/web/20090322055514/http://msdn.microsoft.com/en-us/library/dd381609.aspx
Upvotes: 7
Reputation: 373
Perhaps a 403 status code is more appropriate based on your question (the user is identified, but their account is not privileged enough). 401 is for the case where you do not know what priveleges the user has.
Upvotes: 4
Reputation: 8380
Add something like this to your web.config:
<customErrors mode="On" defaultRedirect="~/Login">
<error statusCode="401" redirect="~/Unauthorized" />
<error statusCode="404" redirect="~/PageNotFound" />
</customErrors>
You should obviously create the /PageNotFound and /Unauthorized routes, actions and views.
EDIT: I'm sorry, I apparently didn't understand the problem thoroughly.
The problem is that when the AuthorizeAttribute filter is executed, it decides that the user does not fit the requirements (he/she may be logged in, but is not in a correct role). It therefore sets the response status code to 401. This is intercepted by the FormsAuthentication module which will then perform the redirect.
I see two alternatives:
Disable the defaultRedirect.
Create your own
IAuthorizationFilter. Derive fromAuthorizeAttributeand override HandleUnauthorizedRequest. In this method, if the user is authenticated do a redirect to /Unauthorized
I don't like either: the defaultRedirect functionality is nice and not something you want to implement yourself. The second approach results in the user being served a visually correct "You are not authorized"-page, but the HTTP status codes will not be the desired 401.
I don't know enough about HttpModules to say whether this can be circumvented with a a tolerable hack.
EDIT 2: How about implementing your own IAuthorizationFilter in the following way: download the MVC2 code from CodePlex and "borrow" the code for AuthorizeAttribute. Change the OnAuthorization method to look like
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (AuthorizeCore(filterContext.HttpContext))
{
HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
cachePolicy.SetProxyMaxAge(new TimeSpan(0));
cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
}
// Is user logged in?
else if(filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// Redirect to custom Unauthorized page
filterContext.Result = new RedirectResult(unauthorizedUrl);
}
else {
// Handle in the usual way
HandleUnauthorizedRequest(filterContext);
}
}
where unauthorizedUrl is either a property on the filter or read from Web.config.
You could also inherit from AuthorizeAttribute and override OnAuthorization, but you would end up writing a couple of private methods which are already in AuthorizeAttribute.
Upvotes: 26
Reputation: 26698
And HttpUnauthorizedResult (this comes as reuslt of the AuthorizeAtrribute) just sets StatusCode to 401. So probably you can setup 401 page in IIS or custom error pages in web.config. Of course, you also have to ensure that access to your custom error page is not requires authorization.
Upvotes: 3
Related Questions
- Redirect Unauthorized Page Access in MVC to Custom View
- ASP.NET MVC4 - Restrict all pages for a non-logged user
- ASP.NET MVC redirect to an access denied page using a custom role provider
- Redirect to another page when user is not authorized in asp.net mvc3
- How to Redirect Users to an ASP.NET page when not Authorized?
- How do I redirect to a not-authorized page instead of the login page when the user is already logged in?
- Using ASP.NET MVC Controller Action with authorized and unauthorized users
- Redirect to AccessDenied page when user is not authorized
- MVC3 Redirect to "Unauthorized" page not working?
- How can I show Authenticated but UNAUTHORIZED users an unauthorized page MVC 3?