Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sending message with 401: Asp.net Web-api

I am in asp.net web API. In login method I check the user/password against the db and if they do not match, I return 401 status code along with invalid user or password method like

var content = new StringContent("Invalid user name or password");
var message = new HttpResponseMessage(HttpStatusCode.Unauthorized);
message.Content = content;
throw new HttpResponseException(message);

But API seems to ignore my message and simply return some HTML like

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

Why is that? How can I override this?

like image 477
Muhammad Adeel Zahid Avatar asked Sep 20 '12 11:09

Muhammad Adeel Zahid


2 Answers

One potential cause of this response is the IIS web site being configured to allow Forms authentication. Look at this older but still valid post on configuring IIS to disable Forms authentication for the Web API.

like image 194
Sixto Saez Avatar answered Sep 28 '22 06:09

Sixto Saez


I believe the response you are getting is from IIS and not from Web Api. If you want to handle the authentication process yourself within your API you need to tell IIS that anonymous access is allowed so that it will get out of the way.

Also, when you return a 401 you MUST return a www-authenticate header (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2). This tells the client what type of authentication is allowed.

like image 40
Darrel Miller Avatar answered Sep 28 '22 06:09

Darrel Miller