2

As described in the linked posts, I am not satisfied with the built in AuthorizeAttribute, because it always redirects to the declared login-page. I need different behaviour between 401-NotAuthenticated (I know it is called Unauthorized) and 403-Forbidden. Forbidden shouldn't link to the login-page.

As in this or this solutions suggested, I implemented a custom attribute called AuthenticateAndAuthorizeAttribute inheriting from AuthorizeAttribute. 

public class AuthenticateAndAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext) {
         if (filterContext.HttpContext.Request.IsAuthenticated) {
             filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
         }
         else {
             base.HandleUnauthorizedRequest(filterContext);
         }
    }
}

All in all it does what it is supposed to do. But, because only the HttpStatusCode of the response is changed, I get an empty page. I know it is because there is no custom error page defined in the web.config. Instead we use the solution with "overriding" the method protected void Application_Error(object sender, EventArgs e) in the global.asax. This enables us, to create different error pages for default requests and ajax requests. Unfortunatly this does not work when just setting the status code of the response. So I implemented the attribute, with throw HttpExceptions.

public class AuthenticateAndAuthorizeAttribute : AuthorizeAttribute {
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)  {
        if (filterContext.HttpContext.Request.IsAuthenticated) {
            throw new HttpException((int)System.Net.HttpStatusCode.Forbidden,  Forbidden!");
        } else {
            throw new HttpException((int)System.Net.HttpStatusCode.Unauthorized, "Not Authenticated!");
        }
    }
}

Now I wonder, if this is a common/correct way to deal with authentication and authorization or if I break some built-in (security)features of asp.net? Could someone see any problems with this solution?

Community
  • 1
  • 1
Tobias
  • 2,945
  • 5
  • 41
  • 59
  • IMO It is common way to throw exception from `OnAuthorization`. In fact, AuthorizeAttribute class's`OnAuthorization` implementation throws exception. – SBirthare Dec 19 '14 at 08:36
  • Are you sure `AuthorizeAttribute` throw HttpException? Looking at the source I can't see where it throws the exception. – Tobias Dec 19 '14 at 08:39
  • Yes I am... I double checked the code. OnAuthorization() method throws InvalidOperationException() and ArgumentNullException(). – SBirthare Dec 19 '14 at 08:41
  • But it does not throw an HttpException. Does this make any difference? My concerns are disabling thinks by throwing a HttpException instead of just setting the StatusCode. – Tobias Dec 19 '14 at 08:46
  • Throwing different exception enables the recipient to distinguish errors and handle them differently ie.g display a specific custom page. In your case, you are anyway going to catch it in your Application_Error() (this is recipient) and display custom page. A browser could be a recipient as well. – SBirthare Dec 19 '14 at 09:27

0 Answers0