Login Dialog Appears When User is Not Authorized

Question

In an attempt to implement security in my web app, I created an attribute that derives from AuthorizeAttribute .

public class FunctionalityAttribute : AuthorizeAttribute
{
    public string FunctionalityName { get; set; }

    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        string adGroup = WebConfigurationManager.AppSettings[FunctionalityName];

        if (actionContext.RequestContext.Principal.IsInRole(adGroup)) { return true; }

        return false; // This causes a login dialog to appear. I don't want that.
    }
}

And here is how it's used in my Web API method:

[Functionality(FunctionalityName = "GetApps")]
public IEnumerable<ApplicationDtoSlim> Get()
{
    using (var prestoWcf = new PrestoWcf<IApplicationService>())
    {
        return prestoWcf.Service.GetAllApplicationsSlim().OrderBy(x => x.Name);
    }
}

It actually works. But the issue is what happens when I'm not authorized:

I don't want that dialog to come up. I'm already signed in. I want to let the user know that they're not authorized. How do I make it so that login dialog doesn't come up?

Answer 1

You need to also override HandleUnauthorizedRequest

  protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
  {
    System.Web.Routing.RouteValueDictionary rd = null;
    if (filterContext.HttpContext.User.Identity.IsAuthenticated)
    {
        //Redirect to Not Authorized
        rd = new System.Web.Routing.RouteValueDictionary(new { action = "NotAuthorized", controller = "Error", area = "" });
    }
    else
    {
        //Redirect to Login
        rd = new System.Web.Routing.RouteValueDictionary(new { action = "Login", controller = "Account", area = "" });
        //See if we need to include a ReturnUrl
        if (!string.IsNullOrEmpty(filterContext.HttpContext.Request.RawUrl) && filterContext.HttpContext.Request.RawUrl != "/")
            rd.Add("ReturnUrl", filterContext.HttpContext.Request.RawUrl);
    }
    //Set context result
    filterContext.Result = new RedirectToRouteResult(rd);
  }

Answer 2

In HandleUnauthorizedRequest , use HttpStatusCode Forbidden because Unauthorized causes a login prompt to display. Here is the entire attribute class.

public class FunctionalityAttribute : AuthorizeAttribute
{
    public string FunctionalityName { get; set; }

    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        string adGroup = WebConfigurationManager.AppSettings[FunctionalityName];

        if (actionContext.RequestContext.Principal.IsInRole(adGroup)) { return true; }

        return false;
    }

    protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        // Authenticated, but not authorized.
        if (actionContext.RequestContext.Principal.Identity.IsAuthenticated)
        {
            // Use Forbidden because Unauthorized causes a login prompt to display.
            actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
        }
    }
}

And this is how I'm handling it in my angular repository:

    $http.get('/PrestoWeb/api/apps/')
        .then(function (result) {
            // do success stuff
        }, function (response) {
            console.log(response);
            if (response.status == 403) {
                $rootScope.setUserMessage("Unauthorized");
                callbackFunction(null);
            }
        });