Home/ Questions/Q 4119294
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T23:04:20+00:00

I have an MVC application with the following block inside in Web.config: <authentication mode=Forms>

  • 0

I have an MVC application with the following block inside in Web.config:

<authentication mode="Forms">
    <forms loginUrl="~/Login" timeout="2880" />
</authentication>

So, if a user requests a page and authorization fails, they will be redirected to ~/Login.

That’s fine, and I need it for most of my controllers. However, I have a controller which I’d like to bypass this rule with. How can I allow specific controllers to ignore this rule?

My problem is that in my MVC application (which has several controllers), I have a certain controller which hosts a REST interface (not meant for browser use). Since this controller isn’t meant for browser-consumption, I don’t want it sending back an entire login page, (or any page whatsoever actually, just strings or partial views.)

Note that I’m using custom [Authorize…] attributes on my actions, and when THESE fail, they redirect to an Error action–but, unfortunately, my Error action (which returns a short string) is being redirected to the Login page because of this configuration setting!

I’m getting dizzy trying to figure this out, what am I doing wrong? I can provide more details if necessary.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could extend the AuthorizeAttribute class and override HandleUnauthorizedRequest, you may want to return a Forbidden http status code rather than a custom message.

    public class CustomAuthorizationAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // You need to set this action result to something other than a HttpUnauthorizedResult, 
        // this result will cause the redirection to the login page

        // Forbidden request... does not redirect to login page
        // filterContext.Result = new HttpStatusCodeResult(403);

        filterContext.Result = new ErrorActionResult { ErrorMessage = "Unauthorized Access" };
    }
}

public class ErrorActionResult : ActionResult
{
    public string ErrorMessage { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        context.HttpContext.Response.Write(this.ErrorMessage);
    }
}
    • 0