After browsing the MVC section on CodePlex I noticed that the [Authorize] attribute in MVC returns a HttpUnauthorizedResult() when authorization fails (codeplex AuthorizeAttribute class).
In the source of HttpUnauthorizedResult() from CodePlex is the code (I'm not allowed to enter another URL as my rep isn't high enough, but replace the numbers on the URL above with 22929#266476):
// 401 is the HTTP status code for unauthorized access - setting this
// will cause the active authentication module to execute its default
// unauthorized handler
context.HttpContext.Response.StatusCode = 401;
In particular, the comment describes the authentication module's default unauthorized handler.
I can't seem to find any information on this default unauthorized handler. In particular, I'm not using FormsAuthentication and when authorization fails I get an ugly IIS 401 error page.
Does anyone know about this default unauthorized handler, and in particular how FormsAuthentication hooks itself in to override it?
I'm writing a really simple app for my football team who confirm or deny whether they can play a particular match. If I enable FormsAuthentication in the web.config the redirect works, but I'm not using FormsAuthentication and I'd like to know if there's a workaround.