0

First off, I am only now familiar with with the issues with regard to Autorization and JSON services. See: How to manage a redirect request after a jQuery Ajax call.

My situation: I have an admin directory, with its own "admin" directory, denying unauthenticated users:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>

    <authorization>
        <deny users="?" />
    </authorization>

  </system.web>
</configuration>

Within this directory is my main page and two Http Handlers which I'm using for uploading files and what not. Now, while I've got code to handle the situation when a user is unauthorized when the handler is accessed via GET or POST, it seems the handler is never executed, and the GETs/POSTs get redirected to the login page. I suppose this is all well and good, but I'd really like the http handlers themselves to handle the issue and handle it differently (at least give something like a 401 code instead of redirecting).

It seems like it should be fairly easy (and I bet it probably is easy) to poke holes to allow the HTTP handlers to handle their own security, but I'm kinda at my wit's end here, so I was hoping somebody would kindly show me how I need to modify the web config to allow those services to handle their own authorization. Thanks!

Community
  • 1
  • 1
JayC
  • 7,053
  • 2
  • 25
  • 41

1 Answers1

1

Have you tried specifying for each one?

  <location allowOverride="false" path="Content">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <location allowOverride="false" path="Scripts">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Be careful. Order matters. So least restrictive to most restrictive top to bottom.

Hupperware
  • 979
  • 1
  • 6
  • 15
  • yeah, I've just now tried that. it's working, but... now something seems to be intercepting my handler and changing my 401s to redirects, which is really confusing (I know it's now entering my handler because the debugger is telling me so). – JayC Mar 08 '12 at 21:30
  • 1
    I'm going ahead and accepting Hupperware's answer, as it answers my question, but it turns out I was *asking the wrong question*. It turns out ASP.NET, by default, registers an HTTP module (`FormsAuthenticationModule`) that turns 401 UnAuthorized into 302 redirects. Furthermore, disabling that module isn't trivial. There are several options detailed in http://haacked.com/archive/2011/10/04/prevent-forms-authentication-login-page-redirect-when-you-donrsquot-want.aspx . Oh, and if you're using Haack's solution or its derivatives, expect to use IIS Express. – JayC Mar 12 '12 at 15:10