Home/ Questions/Q 6991587
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T19:31:21+00:00

I am thoroughly stumped on this one. Basically, I have an MVC page with

  • 0

I am thoroughly stumped on this one. Basically, I have an MVC page with a custom AuthorizeAttribute that throws a 403 error if a user is authenticated, but does not have appropriate access. The problem I am having is that I would like to redirect this error to a custom controller/action (/Error/Unauthorized).

I have added the following in my web.config

<httpErrors errorMode="Custom">
  <remove statusCode ="403" subStatusCode="-1"/>
  <error statusCode="403" path="/Error/Unauthorized" responseMode="ExecuteURL" />
</httpErrors>

With the above configuration, I do not see the default IIS 7.5 403 redirect. However, I also do not see anything. In IE, it tells me that the website requires you to login and chrome just shows me a blank page.

Any ideas?

Here is the custom authorization code in case that might help

    public class CustomAuthorize : AuthorizeAttribute
    {
        //Property to allow array instead of single string.
        private string[] _authorizedRoles;

        public string[] AuthorizedRoles
        {
            get { return _authorizedRoles ?? new string[0]; }
            set { _authorizedRoles = value; }
        }

        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            base.HandleUnauthorizedRequest(filterContext);
            if (filterContext.HttpContext.Request.IsAuthenticated)
            {
                filterContext.HttpContext.Response.TrySkipIisCustomErrors = true;
                filterContext.Result = new HttpStatusCodeResult(403);
            }
        }

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (httpContext == null)
                throw new ArgumentNullException("httpContext");

            if (!httpContext.User.Identity.IsAuthenticated)
                return false;

            //Check to see if any of the authorized roles fits into any assigned roles only if roles have been supplied.
            if (AuthorizedRoles.Any(httpContext.User.IsInRole))
                return true;

            return false;
        }
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    OK, I am not sure if this is truly correct or not, but it fits my symptoms. http://forums.asp.net/t/1462153.aspx/1
    I am not happy that I have to code the redirect, but I tried to make it at least explicit for future maintainability. 

        public bool RedirectAuthenticatedButUnauthorizedUsers { get; set; }

    private String _redirectUnauthorizedUrl = String.Empty;
    public String RedirectUnauthorizedUrl
    {
        get { return _redirectUnauthorizedUrl; }
        set { _redirectUnauthorizedUrl = value.Trim(); }
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        base.HandleUnauthorizedRequest(filterContext);
        if (!RedirectAuthenticatedButUnauthorizedUsers || !filterContext.HttpContext.Request.IsAuthenticated)
            return;
        if(RedirectUnauthorizedUrl == String.Empty)
            throw new NullReferenceException("RedirectAuthenticatedButUnauthorizedUsers " +
                                             "set to true, but no redirect URL set.");
        filterContext.HttpContext.Response.Redirect(RedirectUnauthorizedUrl);
    }
    • 0