Unauthorized Access not redirected with AuthorizeAttribute

Question

I have implemented CustomAuthorization overriding AuthorizeAttribute.

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        var isUserExist = false;

        if (isAuthorized)
        {
    //To check if user exists in DB     
        }

        return isAuthorized && isUserExist;
    }
}

This is working fine, when the user is not authorized, it is displaying 401 unauthorized error. But on this case I want to redirect it to the Custom Unauthorized Page. For this I have added the below in web.config

<customErrors mode="On" defaultRedirect="~/Home/Error">
  <error statusCode="401" redirect="~/Home/Unauthorized" />
</customErrors>

In my controller,

[Authorize]
public class HomeController : BaseController
{
    [AllowAnonymous]
    public ActionResult Unauthorized()
    {
        return View(ActionMethods.HOME_UNAUTHORIZED);
    }
}

My issue is, it is not redirecting to the custom page instead it is prompting for Username/password browser popup.

Sharing ideas/experiences will be better.

Update from Comments:

I am using Windows Authentication and in IIS Enabled both Windows Authentication and Anonymous Authentication.

Is the prompt for username/password a dialog window or a page in your application? — Will Ray, May 10 '16 at 13:59
I believe that's the default behavior of the base class. I.e. if you are not logged in, attempt to give the user a chance to authenticate themselves. If, after having a valid login, they still are unauthorized, then we redirect to the unauthorized page. — Berin Loritsch, May 10 '16 at 14:12
Something you may want to do is to set up a separate ErrorController and move all your error states there. ErrorController will not have the `[Authorize]` attribute, so there should be no confusion when hitting one of those pages. The URL would look like: `http://www.myawesomeapp.com/Error/Unauthorized` — Berin Loritsch, May 10 '16 at 14:15
@BerinLoritsch, Still not working after moving to separate controller — , May 10 '16 at 14:20
I think you are using windows based authentication, in that case check [this link](http://stackoverflow.com/questions/15087755/use-anonymous-authentication-in-mvc4-on-single-controller-when-the-whole-applica), it has a solution that you can use. — SamGhatak, May 10 '16 at 14:30
@SamGhatak, That solution doesn't work for me as I am using `Custom Authorize Attribute` — , May 10 '16 at 14:37
@SSS Is your IIS configured to do windows authentication, and deny anonymous authentication? IIS settings come into play before MVC is reached, so if anonymous authentication is not allowed it will never make it to your code anyways. — Will Ray, May 10 '16 at 14:43
@WillRay, Yes it was disabled, but now I enabled `Anonymous Authentication` but still not working — , May 10 '16 at 14:46
I would give [this answer](http://stackoverflow.com/a/6101794/4270650) a try. — Will Ray, May 10 '16 at 15:16

Unauthorized Access not redirected with AuthorizeAttribute

0 Answers0