1

We have an MVC app that uses controllers for AJAX endpoints, and FormsAuth for authentication.

I've run into an interesting scenario where a GET request will behave differently than a POST request (both for an unauthorized user).

In this particular case, our custom ControllerFactory runs the following code trying to access this controller:

FormsAuthentication.SignOut();
requestContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl);
throw new UnauthorizedAccessException();

(I realize that redirecting inside an AJAX request makes no sense, but bear with me).

When I do a GET request (AJAX) to this controller, the client receives a 401 - Unauthorized exception, which I can trap on the client side and redirect the user to the login page.

When I do a POST request (AJAX) to this controller, I'm getting a 302, and my request got redirected to my login page.

Why do the GET and POST requests act differently?

Jonas
  • 4,454
  • 3
  • 37
  • 45
  • 2
    The code that your controller factory is trying to run is not its responsibility => a controller factory is supposed to instantiate controllers, not perform authentication. You have `[Authorize]` attributes for this purpose. – Darin Dimitrov Jul 18 '11 at 20:53
  • @Darin - I'm aware of that, in fact right above this code is a comment saying this is a hack. :D This fact stems from the fact that some controllers cannot be constructed if the user is not logged in (due to how our IoC container is setup). Again, however, not germane to the question. :D – Jonas Jul 18 '11 at 21:04
  • I am just mentioning what best practices here are. The fact that you are not following those practices and running into problems doesn't surprise me. Happens all the time with people that do this :-) So get rid of the hack, do things the right way and be happy. If you don't make sure you provide a full example allowing to reproduce your problem. The 3 lines of code you have posted in your question are very far from enough. – Darin Dimitrov Jul 18 '11 at 21:05
  • Adding a link to my other question in an attempt to fix the hack: http://stackoverflow.com/questions/6739899/spring-net-propertyretrievingfactoryobject-property-is-null – Jonas Jul 18 '11 at 21:54
  • I've posted a simple answer to your spring.net question: http://stackoverflow.com/questions/6739899/spring-net-propertyretrievingfactoryobject-property-is-null/6762392#6762392 – Marijn Jul 25 '11 at 10:37

1 Answers1

1

So I took Darin's advice and did some refactoring, and I no longer run into this problem. :) I discovered the root of my problem, which was that we had a attribute for MVC error handling that did not have the IExceptionFilter attribute, so some stuff was happening in non-determinate orders. Thanks for the helpful kick in the butt. ;)

Jonas
  • 4,454
  • 3
  • 37
  • 45