Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?

by

When it was first developed, System.Web.Mvc.AuthorizeAttribute was doing the right thing –
older revisions of the HTTP specification used status code 401 for both “unauthorized” and “unauthenticated”.

From the original specification:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

In fact, you can see the confusion right there – it uses the word “authorization” when it means “authentication”. In everyday practice, however, it makes more sense to return a 403 Forbidden when the user is authenticated but not authorized. It’s unlikely the user would have a second set of credentials that would give them access – bad user experience all around.

Consider most operating systems – when you attempt to read a file you don’t have permission to access, you aren’t shown a login screen!

Thankfully, the HTTP specifications were updated (June 2014) to remove the ambiguity.

From “Hyper Text Transport Protocol (HTTP/1.1): Authentication” (RFC 7235):

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.

From “Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content” (RFC 7231):

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it.

Interestingly enough, at the time ASP.NET MVC 1 was released the behavior of AuthorizeAttribute was correct. Now, the behavior is incorrect – the HTTP/1.1 specification was fixed.

Rather than attempt to change ASP.NET’s login page redirects, it’s easier just to fix the problem at the source. You can create a new attribute with the same name (AuthorizeAttribute) in your website’s default namespace (this is very important) then the compiler will automatically pick it up instead of MVC’s standard one. Of course, you could always give the attribute a new name if you’d rather take that approach.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

More Related Contents:

  1. Uploadify (Session and authentication) with ASP.NET MVC
  2. ASP.NET MVC Forms Authentication + Authorize Attribute + Simple Roles
  3. asp.net mvc decorate [Authorize()] with multiple enums
  4. ASP.NET MVC – HTTP Authentication Prompt
  5. How to implement custom authentication in ASP.NET MVC 5
  6. Customizing authorization in ASP.NET MVC
  7. Context.User.Identity.Name is null with SignalR 2.X.X. How to fix it?
  8. AllowAnonymous not working with Custom AuthorizationAttribute
  9. Is it possible to create a Logon System with ASP.NET MVC but not use the MembershipProvider?
  10. MVC role-based routing
  11. How to determine if using MVC4 vs MVC5 vs MVC6? [closed]
  12. How to render an ASP.NET MVC view as a string?
  13. MVC5 – How to set “selectedValue” in DropDownListFor Html helper
  14. Why does Html.ActionLink render “?Length=4”
  15. jqgrid + EF + MVC: How to export in excel? Which method you suggest?
  16. Date only from TextBoxFor()
  17. One DbContext per request in ASP.NET MVC (without IOC container)
  18. Custom DateTime model binder in Asp.net MVC
  19. How to Render Partial View into a String
  20. ASP.NET MVC partial views: input name prefixes
  21. Using MVC HtmlHelper extensions from Razor declarative views
  22. attribute dependent on another field
  23. How can I get the route name in controller in ASP.NET MVC?
  24. Mocking HttpContextBase with Moq
  25. How can I load Partial view inside the view?
  26. Access email address in the OAuth ExternalLoginCallback from Facebook v2.4 API in ASP.NET MVC 5 [duplicate]
  27. How to specify an area name in an action link?
  28. How do you mock the session object collection using Moq
  29. Html5 data-* with asp.net mvc TextboxFor html attributes
  30. Prevent IIS from serving static files through ASP.NET pipeline

Leave a Comment