I have an MVC application with the following block inside in Web.config:
<authentication mode="Forms">
<forms loginUrl="~/Login" timeout="2880" />
</authentication>
So, if a user requests a page and authorization fails, they will be redirected to ~/Login.
That's fine, and I need it for most of my controllers. However, I have a controller which I'd like to bypass this rule with. How can I allow specific controllers to ignore this rule?
My problem is that in my MVC application (which has several controllers), I have a certain controller which hosts a REST interface (not meant for browser use). Since this controller isn't meant for browser-consumption, I don't want it sending back an entire login page, (or any page whatsoever actually, just strings or partial views.)
Note that I'm using custom [Authorize...] attributes on my actions, and when THESE fail, they redirect to an Error action--but, unfortunately, my Error action (which returns a short string) is being redirected to the Login page because of this configuration setting!
I'm getting dizzy trying to figure this out, what am I doing wrong? I can provide more details if necessary.
You could extend the AuthorizeAttribute class and override HandleUnauthorizedRequest, you may want to return a Forbidden http status code rather than a custom message.
public class CustomAuthorizationAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// You need to set this action result to something other than a HttpUnauthorizedResult,
// this result will cause the redirection to the login page
// Forbidden request... does not redirect to login page
// filterContext.Result = new HttpStatusCodeResult(403);
filterContext.Result = new ErrorActionResult { ErrorMessage = "Unauthorized Access" };
}
}
public class ErrorActionResult : ActionResult
{
public string ErrorMessage { get; set; }
public override void ExecuteResult(ControllerContext context)
{
context.HttpContext.Response.Write(this.ErrorMessage);
}
}
Add the following after your system.web element in Web.config:
<location path="home">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
This will allow unauthenticated users access to "/home" and thus any actions on the HomeController.
Phil Haack has a pretty thorough blog post on this exact subject: Prevent Forms Authentication Login Page Redirect When You Don’t Want It