tags:

views:

1061

answers:

2
+4  Q: 

Override ASP.NET forms authentication for a single page

In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?

+3  A: 

You can have separate <system.web> sections for separate paths. Here's an example:

<configuration>
  <location path="Foo/Bar.aspx">
    <system.web>
      <authorization>
        <allow roles="GoodGuys" />
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.

In your case, you might want to allow all without authentication:

<configuration>
  <location path="Foo/Bar.aspx">
    <system.web>
      <authentication mode="None" />
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>
Randolpho  2009-06-02 21:06:01
If this were straight-up ASP.NET, that would work, but I'm unclear how to use that technique with ASP.NET MVC. The problem is that the should-return-401 URLs are at myapp/{rout parameter}/tool; there's no way to specify that in system.web, even if I wanted to.
Benjamin Pollack  2009-06-02 21:15:03
*blush* I did not see "MVC" when I read your post.
Randolpho  2009-06-02 21:22:57
+3  A: 

The following solution works, although I'm not at all sure it's optimal:

public class HttpAuthenticationRequiredResult : ActionResult
{
    public override void ExecuteResult(ControllerContext context)
    {
        var response = context.HttpContext.Response;
        response.StatusCode = 401;
        response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
        response.Flush();
        response.Close();
    }
}

You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.

Benjamin Pollack  2009-06-02 21:33:54

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps