If Controller.OnAuthorization() returns void then how do I deny access?

Question

I would have expected it to return 'true' or 'false'...

I have overridden OnAuthorization in my Controller and based on a missing or invalid HTTP Header value I want to return 403 forbidden, however I can't seem to figure out how to return anything from OnAuthorization so that it will actually stop the rest of the Controller from running.

What should I do?

My first attempt below was a huge fail, I think Deny() is running but nothing happens...

public class AuthController : Controller
    {
        protected override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
                Deny();

            string authString = filterContext.HttpContext.Request.Headers["Authorization"];

            base.OnAuthorization(filterContext);
        }

        private ActionResult Deny()
        {
            HttpContext.Response.StatusCode = 403;

            return Content("Access Denied", "text/plain");
        }
    }

UPDATE looks like this did the trick, any reason why this might be a bad approach?

    if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
    {
        filterContext.Result = Content("Access Denied", "text/plain");
        filterContext.HttpContext.Response.StatusCode = 403;

        base.OnAuthorization(filterContext);
    }

UPDATE AGAIN ok so now it's not working at all... I put in a breakpoint and watched it step INTO that if statement, and get to the base.OnAuthorization(...) call, and step right back out again... why would it go into the if statement if it was not executing? If it was executing why would calling base.OnAuthorization(...) not end things early?

Answer 1

You could throw an httpexception:

throw new HttpException(403, "Access Denied");

Answer 2

What about?

throw new UnauthorizedAccessException();