I've never seen this happen before: I've decorated a controller with an [Authorize (Roles = "Admin"]
attribute, but instead of sending unregistered/un-signed users to the Login View via 302 redirect, a javascript-generated sign-in prompt appears in the Chrome browser:
After entering in his or her credentials, the user is then given a 401 error. The suggestions on SO for setting the <authentication mode>
and removing the <FormsAuthenticationModule>
in Web.Config don't alter this behavior. I have previously created another project using the exact same controllers, reference libraries, etc. and never encountered this undesired behavior.
The big blind spot for me right now is whether there is some sort of OWIN conflict going on. To observe my app's behavior at startup, I created a test variable inside app.UseCookieAuthentication()
method and set a breakpoint. I observed during debug that this method wasn't being called at all (see full code block below):
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
OnApplyRedirect = ctx =>
{
var t = 2;
}
}
});
To provide more clarity here's the decorated controller with the uncooperative [Authorize]
attribute.
[Authorize(Roles = "Admin")]
public ActionResult BlogPostsAdmin()
{
return View(db.BlogPosts.ToList());
}
Here's the AccountController that is supposed to return the Login View:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
Any help?
UPDATE: I am just going to hack together a custom authorize attribute from now, though this is not desirable for production:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
namespace PortfolioSite.Framework
{
public class SiteAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
base.HandleUnauthorizedRequest(filterContext);
filterContext.HttpContext.Response.Redirect("/Account/Login");
}
}
}