views:

458

answers:

3

I am using the Authorize attribute like this:

[Authorize (Roles="Admin, User")]
Public ActionResult Index(int id)
{
    // blah
}

When a user is not in the specified roles, I get an error page (resource not found). So I put the HandleError attribute in also.

[Authorize (Roles="Admin, User"), HandleError]
Public ActionResult Index(int id)
{
    // blah
}

Now it goes to the Login page, if the user is not in the specified roles.

How do I get it to go to an Unauthorized page instead of the login page, when a user does not meet one of the required roles? And if a different error occurs, how do I distinguish that error from an Unauthorized error and handle it differently?

+6  A: 

Add something like this to your web.config:

<customErrors mode="On" defaultRedirect="~/Login">
     <error statusCode="401" redirect="~/Unauthorized" />
     <error statusCode="404" redirect="~/PageNotFound" />
</customErrors>

You should obviously create the /PageNotFound and /Unauthorized routes, actions and views.

EDIT: I'm sorry, I apparently didn't understand the problem thoroughly.

The problem is that when the AuthorizeAttribute filter is executed, it decides that the user does not fit the requirements (he/she may be logged in, but is not in a correct role). It therefore sets the response status code to 401. This is intercepted by the FormsAuthentication module which will then perform the redirect.

I see two alternatives:

  1. Disable the defaultRedirect.

  2. Create your own IAuthorizationFilter. Derive from AuthorizeAttribute and override HandleUnauthorizedRequest. In this method, if the user is authenticated do a redirect to /Unauthorized

I don't like either: the defaultRedirect functionality is nice and not something you want to implement yourself. The second approach results in the user being served a visually correct "You are not authorized"-page, but the HTTP status codes will not be the desired 401.

I don't know enough about HttpModules to say whether this can be circumvented with a a tolerable hack.

EDIT 2: How about implementing your own IAuthorizationFilter in the following way: download the MVC2 code from CodePlex and "borrow" the code for AuthorizeAttribute. Change the OnAuthorization method to look like

    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (AuthorizeCore(filterContext.HttpContext))
        { 
            HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
            cachePolicy.SetProxyMaxAge(new TimeSpan(0));
            cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
        }
        // Is user logged in?
        else if(filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            // Redirect to custom Unauthorized page
            filterContext.Result = new RedirectResult(unauthorizedUrl);
        } 
        else {
            // Handle in the usual way
            HandleUnauthorizedRequest(filterContext);
        }
    }

where unauthorizedUrl is either a property on the filter or read from Web.config.

You could also inherit from AuthorizeAttribute and override OnAuthorization, but you would end up writing a couple of private methods which are already in AuthorizeAttribute.

Rune
This didn't work. The new controllers and routes test out OK, but the redirect to the login page is apparently occurring prior to this.
Robert Harvey
Hmm, I was pretty sure it had worked for me in the past. I'll check it out in a couple of hours.
Rune
`but the HTTP status codes will not be the desired 401` -- I can think of a couple of ways to fix that. One way is to put `Response.StatusCode = 401;` right before `return View(“Unauthorized”);` in the controller.
Robert Harvey
The other way is to write a custom `IExceptionAttribute` filter, replacing the `HandleErrorAttribute` in the ASP.NET MVC framework with a smarter one. See http://richarddingwall.name/2008/08/17/strategies-for-resource-based-404-errors-in-aspnet-mvc/
Robert Harvey
What we really want is to override the behaviour of FormsAuthenticationModule to only redirect if the user is not authenticated, but that doesn't seem to be possible. This is not good.
Rune
The custom `IAuthorization` filter approach you described in EDIT 2 is the one I am currently leaning towards. Thanks for the code snippet.
Robert Harvey
@Rune, your `if` statement was backwards, so I fixed it in your answer, and added some comments. It works! Thanks again.
Robert Harvey
@Robert: Great to hear (well, not the thing about the if-statement :-). Thanks for the notification.
Rune
+1  A: 

And HttpUnauthorizedResult (this comes as reuslt of the AuthorizeAtrribute) just sets StatusCode to 401. So probably you can setup 401 page in IIS or custom error pages in web.config. Of course, you also have to ensure that access to your custom error page is not requires authorization.

Mike Chaliy
+5  A: 

You could do this in two ways:

  1. Specify the error the HandleError-attribute, and give a view that should be shown:

    [HandleError(ExceptionType = typeof(UnAuthorizedException), View = "UnauthorizedError")]

You can specify several different ExceptionTypes and views

  1. Create a custom ActionFilter, check there for credentials, and redirect to a controller if the user is unauthorized.: http://msdn.microsoft.com/en-us/library/dd381609.aspx
Pbirkoff