Asp.Net web service: I would like to return error 403 forbidden

Question

I have got a web service programmed in c# / asp.net.

[WebService(Namespace = "http://example.com/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ScriptService]
[System.ComponentModel.ToolboxItem(false)]
public class Service: System.Web.Services.WebService
{

    [WebMethod]
    [ScriptMethod(ResponseFormat = ResponseFormat.Json)]
    public Result GetData()
    {
        User user = GetUser();

        if (user.LoggedIn)
        {
            return GetData();
        }
        else
        {
            // raise exception -> return error 403
        }
    }

How is it possible to return error 403 out of this web service? I can throw an exception - but this shows the exeption and not his error.

Any ideas?

You return value from service only if user is 'LoggedIn' you must return that 'Result' type from that method. — 1110, Apr 13 '11 at 13:28
You declare your method to return 'Result' type. And you must return object of that type from your method. What is 'Data()'? You cant return something from only one 'if' block, because if that block is false your method will not return anything. — 1110, Apr 13 '11 at 13:49
I thought I can raise an exceptino or something like this and then the web service would return 403 — bernhardrusch, Apr 13 '11 at 13:55
Code 401 would be more appropriate as the user could access the resource if he loggs in — Daniel, Mar 15 '13 at 10:16

score 35 · Answer 1 · answered May 01 '15 at 17:48

35

If you were using MVC you'd do the following:

            return new HttpStatusCodeResult(HttpStatusCode.Forbidden);

answered May 01 '15 at 17:48

Bryan Legend

6,790
1
59
60

score 32 · Answer 2 · edited May 04 '15 at 14:10

32

You don't need to set both Context.Response.Status and Context.Response.StatusCode. Simply setting

Context.Response.StatusCode = (int)System.Net.HttpStatusCode.Forbidden

will automatically set Response.Status for you.

edited May 04 '15 at 14:10

Jay Tomten

1,657
1
14
23

answered Jul 11 '12 at 17:49

Michael Chatfield

421
4
4

1

It should be a comment on @bernhardrusch answer – Rodrigo Alencar Dec 07 '17 at 13:40

bernhardrusch · Accepted Answer · 2015-07-20T14:20:59.197

23

To answer the question completely - this is the code I've used (thank you strider for more information):

[WebService(Namespace = "http://example.com/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ScriptService]
[System.ComponentModel.ToolboxItem(false)]
public class Service: System.Web.Services.WebService
{

    [WebMethod]
    [ScriptMethod(ResponseFormat = ResponseFormat.Json)]
    public Result GetData()
    {
        User user = GetUser();

        if (user.LoggedIn)
        {
            return GetData();
        }
        else
        {
            Context.Response.Status = "403 Forbidden"; 
            //the next line is untested - thanks to strider for this line
            Context.Response.StatusCode = 403;
            //the next line can result in a ThreadAbortException
            //Context.Response.End(); 
            Context.ApplicationInstance.CompleteRequest(); 
            return null;
        }
    }

edited Jul 20 '15 at 14:20

answered Feb 24 '12 at 06:48

bernhardrusch

11,670
12
48
59

This gives me a ThreadAbortException when used with WebMethod and ScriptMethod. – Eterm Jul 20 '15 at 13:18
try using Context.ApplicationInstance.CompleteRequest() instead of Context.Response.End() – bernhardrusch Jul 20 '15 at 14:21
2

Worth mentioning that `Response.Status = "403 Forbidden"; ` is the complete `status` that consists of `Response.StatusCode` and `Response.StatusDescription`. It might be better to use `Response.StatusDescription` instead of `Response.Status` – G. Stoynev Sep 20 '16 at 20:40
In my case it's called "ActionContext" instead of "Context" – Zohar Aug 02 '22 at 14:29

score 7 · Answer 4 · answered Oct 05 '11 at 09:43

7

You can protect all your methods by placing the code in your WebService constructor. This prevents your WebMethod from even being called:

public Service(): base()
{
    if (!GetUser().LoggedIn)
    {
        Context.Response.StatusCode = (int)System.Net.HttpStatusCode.Forbidden;
        Context.Response.End();
    }
}

answered Oct 05 '11 at 09:43

Andy Joiner

5,932
3
45
72

Not necessarily correct....I leverage WebMethods through AJAX calls and I have to work to authenticate the user(s) through encrypted cookies – GoldBishop Mar 15 '18 at 13:03
This doesn't make sense. Your constructor isn't called when your web methods are called. Refer to @bernhardrusch's answer. – Exegesis Jan 04 '21 at 19:08

score 6 · Answer 5 · answered Jun 03 '16 at 11:34

6

In Asp.Net Web Api 2, you'd use:

return new StatusCodeResult(HttpStatusCode.Forbidden, this);

answered Jun 03 '16 at 11:34

arviman

5,087
41
48

1

This does not answer the question at all! The question was relating to a WebService and this is WebApi2 – matt_lethargic Mar 31 '17 at 11:27
I get what you're saying, but I was fixing some legacy stuff and didn't need to know the answer to a different question that i already knew! – matt_lethargic Apr 03 '17 at 13:49
ok my bad ..didn't realize people would still be working on web services. – arviman Apr 03 '17 at 13:51
NP. Wish i wasn't! – matt_lethargic Apr 03 '17 at 13:52
@matt_lethargic like your profile comment! ;-) Seems legacy crap code is common in automotive field :P – Pascal May 20 '17 at 11:44

Mark Cidade · Answer 6 · 2012-03-05T18:47:37.027

3

Context.Response.StatusCode = 403;

edited Mar 05 '12 at 18:47

answered Apr 13 '11 at 13:57

Mark Cidade

98,437
31
224
236

where do I get this response object [I can't access it directly]? – bernhardrusch Apr 13 '11 at 14:02
1

Context.Response.Status = "403 Forbidden"; Context.Response.End(); return null; – bernhardrusch Jun 07 '11 at 13:20
1

Context.Response.Status is a string property, +1 for @bernhardrusch. Correct property to set would be Context.Response.StatusCode if you want to just set 403, an int. – strider Feb 23 '12 at 22:09

score 1 · Answer 7 · answered Apr 13 '11 at 20:39

1

Your web service requests will first encounter your global.asax file. You can check & return there.

answered Apr 13 '11 at 20:39

Chuck Savage

11,775
6
49
69

score 1 · Answer 8 · answered Dec 21 '21 at 11:55

1

aspnet core you can return forbidResult. This is an IResult.

return new ForbidResult();

answered Dec 21 '21 at 11:55

Mike

623
6
26

score 0 · Answer 9 · answered Apr 13 '11 at 13:56

0

Forbidden 403 would be a result of access to forbidden content on your website. I think what you want here is to return a message as part of your Result that is "User is not logged on"

answered Apr 13 '11 at 13:56

Orin

351
5
13

Viktor Bagány · Answer 10 · 2020-04-06T13:55:31.020

0

The return Forbid(); creates a ForbidResult (Status403Forbidden by default).

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.controllerbase.forbid?view=aspnetcore-3.1

edited Apr 06 '20 at 13:55

answered Mar 02 '20 at 23:00

Viktor Bagány

11
1

Asp.Net web service: I would like to return error 403 forbidden

10 Answers10

Linked

Related