3

I have a custom handler and in some cases, I want to indicate to the user agent that they are not authorized (Http Error Code 401)

        if (!IsAuthorized(context))
        {
            context.Response.StatusCode = 401;
            context.Response.End();
            return;
        }

When I access my handler, I am actually getting a 302 and a redirect to the forms authentication page. Is there a way to stop this from happening?

JoshBerke
  • 66,142
  • 25
  • 126
  • 164

2 Answers2

4

Your scenario sounds like an "Access denied" instead of "unauthorized". Could you use 403 which is the HTTP status code for "Access denied"?

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Naraen
  • 3,240
  • 2
  • 22
  • 20
  • 1
    I think your actually right that in my case a 403 is more appropiate...still would like to figure out why the framework is doing what its doing. – JoshBerke Apr 05 '11 at 18:23
  • 2
    @Josh, here is an explanation of why you are seeing a 302 - http://www.asp.net/security/tutorials/user-based-authorization-cs – Naraen Apr 06 '11 at 17:47
1

Sounds like you have authentication turned on for the page. If this is the case, then your app is calling Authentication before the hand off to your custom handler. That's why you see the login page.

The isAuthorized in your handler is populated before your handler receives the call. You'll want to use a module and hook into the Authentication Life Cycle Event. See the Asp.Net Life Cycle

Brig
  • 10,211
  • 12
  • 47
  • 71
  • The request is authenticated and authorized as far as IIS is concerned. The code is executing in the ExecuteHandler step of the life cycle. – JoshBerke Apr 05 '11 at 18:18