1

I am trying to implement a custom AuthorizeAttribute for a WEB API. Things have been going good so far, however I am stuck trying to find a way to prevent the username/password credentials box coming up when a user is not authorized. I am overriding the "HandleUnauthorizedRequest" method like so: 

 protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        base.HandleUnauthorizedRequest(actionContext);
        actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Unauthorized");
    }

This, however does not work. I can change the status code to Forbidden, which will prevent the prompt from showing, however I don't think that is the "right way of doing things" solution.

I don't want this prompt to show because I am making a call from a client using JavaScript. I want to receive the 401 and handle it on the client side.

Can someone explain to me what I am missing? (or let me know if I should be using Forbidden ?)

Thanks

Dave
  • 2,473
  • 2
  • 30
  • 55
  • 1
    This isn't related to C#. See this other question for a discussion of 401 vs 403: http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses – David Dec 19 '16 at 19:51
  • How is this not related to C#? I asking about how to make a specific .NET class behave a certain way. – Dave Dec 19 '16 at 23:22

1 Answers1

1

Server code can't change how a browser handles a 401 status code. This other question discusses if a 401 or a 403 status code is more correct. As you can see, there isn't a definitive answer. Based on that, I would use "403 Forbidden" in your case since that works.

Community
  • 1
  • 1
David
  • 34,223
  • 3
  • 62
  • 80