Menu
In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?
483
The following solution works, although I'm not at all sure it's optimal:
public class HttpAuthenticationRequiredResult : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.Response;
response.StatusCode = 401;
response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
response.Flush();
response.Close();
}
}
You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.
115
You can have separate <system.web> sections for separate paths. Here's an example:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authorization>
<allow roles="GoodGuys" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.
In your case, you might want to allow all without authentication:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
