3

I'm trying to implement access denied error page on a new ASP.NET MVC 5 project with Individual User Accounts Authentication Mode. I add CustomAuthorize class that inherit from AuthorizeAttribute

public class CustomAuthorize : AuthorizeAttribute
{
    protected virtual CustomPrincipal CurrentUser
    {
        get { return HttpContext.Current.User as CustomPrincipal; }
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            if (!string.IsNullOrEmpty(Roles))
            {
                if (!CurrentUser.IsInRole(Roles))
                {
                    filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));

                    //base.OnAuthorization(filterContext); // returns to login url
                }
            }

            if (!string.IsNullOrEmpty(Users))
            {
                if (!Users.Contains(CurrentUser.UserName))
                {
                    filterContext.Result = new RedirectToRouteResult(
                        new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));

                    //base.OnAuthorization(filterContext); // returns to login url
                }
            }
        }
    }


    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
        else
        {
            filterContext.Result = new RedirectToRouteResult(new
            RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));
        }
    }
}

add ErrorController.cs

public class ErrorController : Controller
{
    public ActionResult AccessDenied()
    {
        return View();
    }
}

and AccessDenied.cshtml view

<h2>Access Denied</h2>
<p>You do not have access to view this page</p>

then applied in HomeController.cs

[CustomAuthorize]
public class HomeController : Controller

but it always redirecting to login page. How to display the access denied page?

Willy
  • 1,689
  • 7
  • 36
  • 79
  • Does it redirect authenticated users to the login page as well? – takemyoxygen Oct 21 '14 at 13:35
  • @takemyoxygen Yes it does, but I need to redirect to AccessDenied page – Willy Oct 21 '14 at 13:36
  • I can confirm that nothing wrong with your CustomAuthorize or Error controllers as I have tested this in a mvc 5 template with Individual User Accounts. Check my answer. – DSR Oct 21 '14 at 13:47

1 Answers1

1

Create new mvc 5 project with Individual User Accounts, add your Error Controller, view and CustomAuthorize attribute class.

Then update home controller like below.

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [CustomAuthorize(Roles = "TestRole")]
    public ActionResult About()
    {
        ViewBag.Message = "Your application description page.";

        return View();
    }

    public ActionResult Contact()
    {
        ViewBag.Message = "Your contact page.";

        return View();
    }
}

Register and login, try to click on the About link you'll get redirected to access denied page as there is no user with role 'TestRole'

DSR
  • 4,588
  • 29
  • 28
  • 1
    Sorry, I forgot to add `OnAuthorization` method on CustomAuthorize class. If this method exist it will never reach `HandleUnauthorizedRequest`. – Willy Oct 21 '14 at 14:11
  • Yes, you are right, you have to handle it inside the OnAuthorization. And you may need to change status code to 401. – DSR Oct 21 '14 at 14:25
  • Could you show me how to handle inside `OnAuthorization`? and why it never reach `HandleUnauthorizedRequest` – Willy Oct 21 '14 at 14:27
  • It seems like OnAuthorization() and IsAuthorized() calls first and then calls HandleUnauthorizedRequest(), because of that we have to deal it that way. http://stackoverflow.com/questions/12629530/how-to-customize-asp-net-web-api-authorizeattribute-for-unusual-requirements – DSR Oct 21 '14 at 14:45