在web.config或global.asax EndRequest事件中重定向401？

Question

I have a site that is using forms authentication, but the login url is actually a page ("WinLogin.aspx") that is set to use windows authentication. That way, if the user is on our network, WinLogin.aspx captures their domain login and they can continue on into the application without having to reenter their username and password. But if they are not logged into the domain, WinLogin.aspx gives a 401 error, which a browser would normally interpret by asking the user for their username and password to check against the domain server.

I want to redirect those 401 errors to my own custom page that gets that username and password, so I can do a true forms authentication, because some of the accounts in my application do not have a corresponding domain account.

I can do the rerouting of the 401 error in the web.config file like this:

    <httpErrors errorMode="Custom">
        <error statusCode="401" path="/Redirect401.aspx" />
    </httpErrors>

Or, I can do it with code in the global.asax end request handler like this:

void Application_EndRequest(object sender, System.EventArgs e)
{
    if (((Response.StatusCode == 401) && (Request.IsAuthenticated == true)))
    {
        Response.ClearContent();
        Response.Redirect("~/Redirect401.aspx");
    }
}

Is there any reason to prefer either method?

Answer 1

You'll want to use the web.config approach if your error handling is cut-n-dry and there's nothing you want to do prior to redirecting to the error page. In either case I tend to prefer catching errors in global.asax, then do some logging and then redirect to the error page, or error controller if it's an MVC app. In my last app I used this exact approach in an MVC app and had the error controller actions take some action prior to returning the view. For example, in the case of a 401 error I had the action set a 403 error instead, so it did not force the browser to the login page. So it all depends on your needs for one approach over the other.