Reputation: 28460
Override ASP.NET forms authentication for a single page
In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?
Upvotes: 5
Views: 7774
Answers (3)
Reputation: 2160
Had a similar case where I needed to return back something that triggered an undesired redirect (basically a message about how authentication failed and it was redirecting to the login screen without the error information).
This solved the problem:
Response.SuppressFormsAuthenticationRedirect = true;
Upvotes: 0
Reputation: 28460
The following solution works, although I'm not at all sure it's optimal:
public class HttpAuthenticationRequiredResult : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.Response;
response.StatusCode = 401;
response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
response.Flush();
response.Close();
}
}
You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.
Upvotes: 6
Reputation: 56439
You can have separate <system.web> sections for separate paths. Here's an example:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authorization>
<allow roles="GoodGuys" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.
In your case, you might want to allow all without authentication:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Upvotes: 4
Related Questions
- Override/Disable Authorization in ASP.NET MVC 3
- Form authentication except for one page
- Remove authentication in ASP.net MVC single page application
- Override Authorize Attribute in ASP.NET MVC
- How best to override the authentication in MVC 5?
- ASP.NET MVC Windows authentication on top of forms authentication
- implement form authentication on some pages not all pages
- How to keep a default page with Forms Authentication?
- ignore authentication for a single page
- How to override authentication for certain web pages....?