10

We're building a ServiceStack API which will use Basic authentication. I've currently set up the auth in my AppHost as follows:

var authDb = new OrmLiteConnectionFactory("Server=(...);", true, MySqlDialectProvider.Instance);

var authRepo = new OrmLiteAuthRepository(authDb);
authRepo.CreateMissingTables();
container.Register<ICacheClient>(c => new MemoryCacheClient());
container.Register<IUserAuthRepository>(c => authRepo);

Plugins.Add(
    new AuthFeature(() => new AuthUserSession(), new IAuthProvider[] { new BasicAuthProvider() })
);

When doing a request with no Authorization header or the wrong username+pass the response is a redirect to /Account/Login.aspx?ReturnUrl=...

Parital request + response example:

POST http://localhost:60278/reserve HTTP/1.1

HTTP/1.1 302 Found
Location: /Account/Login.aspx?ReturnUrl=%2freserve
X-Powered-By: ServiceStack/3,924 Win32NT/.NET

Is there a way to make it respond with only a HTTP 401 Unauthorized or a HTTP 403 Forbidden ?

Magge
  • 268
  • 2
  • 7

2 Answers2

22

By default ServiceStack's AuthFeature will only try to redirect you to the default ~/login path for HTML Content-Type requests. You can override this by setting the redirect path in the AuthFeature to null:

Plugins.Add(new AuthFeature(...) { HtmlRedirect = null });

This will fall back to the standard 401 UnAuthorized Response that the other Content-Types get.

After globally setting the HtmlRedirect to null, you can add it back on an adhoc basis, e.g:

[Authenticate(HtmlRedirect="~/path/to/redirect/to")]
mythz
  • 141,670
  • 29
  • 246
  • 390
  • I think there must be some ASP.net stuff confusing me here. I've seen it in the docs and tried the HtmlRedirect=null and besides I'm using application/json for Accept / Content-type headers. The redirect is not the same as you write (~/login), but /Account/Login.aspx. I will go through my global.aspx and stuff, let you know. I'm accepting your answer now, though, it's the solution when SS is set up correctly. Thank you! :) – Magge Oct 26 '12 at 08:15
  • Yes, this was my bad. I still had the .net Membership stuff in my Web.config, seems it overrides the SS authentication. Works like a charm after I removed it. – Magge Oct 26 '12 at 08:21
  • 4
    I cannot get this to work, I was trying setting it to null, to other paths and I tried both options (when creating new AuthFeature and within the [Authenticate(HtmlRedirect=..)] attribute. It still redirects to login?... If you happen to know what's going on, please let me know, in the meantime I will proceed with debugging against the SS source code. – mare May 05 '13 at 21:05
  • Check if your web.config file has an authentication property. That could be an issue. – Nick Sep 26 '14 at 05:49
1

If the following doesn't work:

Plugins.Add(new AuthFeature(...) { HtmlRedirect = null });

Try setting the OverrideHtmlRedirect = false to the provider. This works for the NetCoreIdentityAuthProvider- especially for JWT bearer authentication

Plugins.Add(
  new AuthFeature(..., 
  new CustomAuthProvider(AppSettings) { OverrideHtmlRedirect = false }
) { HtmlRedirect = null });

If all else fails, check the Github code to see if there's an html redirect being forced

ランス
  • 418
  • 2
  • 8