How do I serve up an Unauthorized page when a user is not in the Authorized Roles?

Question

I am using the Authorize attribute like this:

[Authorize (Roles="Admin, User")]
Public ActionResult Index(int id)
{
    // blah
}

When a user is not in the specified roles, I get an error page (resource not found). So I put the HandleError attribute in also.

[Authorize (Roles="Admin, User"), HandleError]
Public ActionResult Index(int id)
{
    // blah
}

Now it goes to the Login page, if the user is not in the specified roles.

How do I get it to go to an Unauthorized page instead of the login page, when a user does not meet one of the required roles? And if a different error occurs, how do I distinguish that error from an Unauthorized error and handle it differently?

Answer 1

Add something like this to your web.config:

<customErrors mode="On" defaultRedirect="~/Login">
     <error statusCode="401" redirect="~/Unauthorized" />
     <error statusCode="404" redirect="~/PageNotFound" />
</customErrors>

You should obviously create the /PageNotFound and /Unauthorized routes, actions and views.

EDIT : I'm sorry, I apparently didn't understand the problem thoroughly.

The problem is that when the AuthorizeAttribute filter is executed, it decides that the user does not fit the requirements (he/she may be logged in, but is not in a correct role). It therefore sets the response status code to 401. This is intercepted by the FormsAuthentication module which will then perform the redirect.

I see two alternatives:

1. Disable the defaultRedirect.

2. Create your own IAuthorizationFilter . Derive from AuthorizeAttribute and override HandleUnauthorizedRequest. In this method, if the user is authenticated do a redirect to /Unauthorized

I don't like either: the defaultRedirect functionality is nice and not something you want to implement yourself. The second approach results in the user being served a visually correct "You are not authorized"-page, but the HTTP status codes will not be the desired 401.

I don't know enough about HttpModules to say whether this can be circumvented with aa tolerable hack.

EDIT 2 : How about implementing your own IAuthorizationFilter in the following way: download the MVC2 code from CodePlex and "borrow" the code for AuthorizeAttribute. Change the OnAuthorization method to look like

    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (AuthorizeCore(filterContext.HttpContext))
        { 
            HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
            cachePolicy.SetProxyMaxAge(new TimeSpan(0));
            cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
        }
        // Is user logged in?
        else if(filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            // Redirect to custom Unauthorized page
            filterContext.Result = new RedirectResult(unauthorizedUrl);
        } 
        else {
            // Handle in the usual way
            HandleUnauthorizedRequest(filterContext);
        }
    }

where unauthorizedUrl is either a property on the filter or read from Web.config.

You could also inherit from AuthorizeAttribute and override OnAuthorization , but you would end up writing a couple of private methods which are already in AuthorizeAttribute.

Answer 2

You could do this in two ways:

1. Specify the error the HandleError-attribute, and give a view that should be shown:

   [HandleError(ExceptionType = typeof(UnAuthorizedException), View = "UnauthorizedError")]

You can specify several different ExceptionTypes and views

2. Create a custom ActionFilter, check there for credentials, and redirect to a controller if the user is unauthorized.: http://web.archive.org/web/20090322055514/http://msdn.microsoft.com/en-us/library/dd381609.aspx

Answer 3

Perhaps a 403 status code is more appropriate based on your question (the user is identified, but their account is not privileged enough). 401 is for the case where you do not know what priveleges the user has.

Answer 4

And HttpUnauthorizedResult (this comes as reuslt of the AuthorizeAtrribute ) just sets StatusCode to 401. So probably you can setup 401 page in IIS or custom error pages in web.config. Of course, you also have to ensure that access to your custom error page is not requires authorization.

Answer 5

Just override the HandleUnauthorizedRequest method of AuthorizeAttribute. If this method is called, but the user IS authenticated, then you can redirect to your "not authorized" page.

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { Area = "", Controller = "Error", Action = "Unauthorized" }));
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}