5

I have created a custom AuthorizationAttribute which I'm placing on my controllers. I followed this article. I've implemented custom authorization logic in the OnAuthorization method and this works fine. When the user fails authorization I'm currently doing the following:

// if authorization check fails...
filterContext.Result = new HttpUnauthorizedResult();

This displays a username/password prompt.

My question is what is the recommended way send the user to a "Access Is Denied" type page when they fail authorization?

I am using MVC3.

Community
  • 1
  • 1
Steve
  • 2,073
  • 4
  • 27
  • 39

3 Answers3

4

On the login page, you can check if the user is already logged in and display an access denied message instead of the login prompt.

Tom Clarkson
  • 16,074
  • 2
  • 43
  • 51
  • While this might work on a single site, this solution doesn't work at all for a single sign-on system unless you want the Security Token Service to implicitly understand all of the roles/user access rights to your Relying Party sites which would be very incorrect IMO. – Chris Marisic Aug 17 '11 at 12:37
2

In the end I went for a straight redirect:

public override void OnAuthorization(AuthorizationContext filterContext)
...
// if authorization check fails...
filterContext.Result = new RedirectResult(AccessDeniedPage);

Edit: Rob Conery has a very good article describing this in detail with ASP.NET MVC: Securing Your Controller Actions

taher chhabrawala
  • 4,110
  • 4
  • 35
  • 51
Steve
  • 2,073
  • 4
  • 27
  • 39
1

you can throw HttpException with error code 401

Eranga
  • 32,181
  • 5
  • 97
  • 96