Why Mvc.AuthorizeAttribute and Http.AuthorizeAttribute have different behavior for Unauthorized Status in Windows Authentication

Question

I have an problem in the application I am currently working that is using Windows Authentication.

I have MVC Controller and ApiController both with custom AuthorizeAttribute applied. When the Mvc.Authorization failed in MVC I can redirect it to an error page but for Http.Authorization I can only return IsAuthorized to true or false and it displays a modal dialog box same with the login modal for Windows Authentication when the user is not authorized. I can't search for the right explanation why it happens. Can I customize it? Both of them return 401 status but why do they have different behavior?

Answer 1

What you have mentioned is intended behavior.

Asp.NET MVC generally serves web pages to browser clients, thus in case of unauthorized access to any resource you redirect user from server itself to some another page (view) where you can show an error/message to user. So your response is redirection to another page and not unauthorized 401 status code.

But ASP.NET WebAPI is a service which should be consumed by other apps and their output is generally data rather then a particular view. So when an unauthorized access is identified, web API responds back with status code 401. (which is an intended behavior).

Now if you are trying to access web api through your browser and it receives an unauthorized response from server, it shows user a popup to give user a chance to provide credentials and hit api once again along with credentials.