开发者

Is there a way to make AuthorizeAttribute respond with status code 403 Forbidden rather than a redirect?

开发者 https://www.devze.com 2023-02-05 08:32 出处：网络

If the user is not logged in and they reque开发者_如何转开发st an action marked [Authorize], then the response is a redirect to the Account/LogOn action (status code 302 Found).

相关专题：asp.net-mvc-2 authorize-attribute http-status-code-403

If the user is not logged in and they reque开发者_如何转开发st an action marked [Authorize], then the response is a redirect to the Account/LogOn action (status code 302 Found).

Is there a way to make the response be status code 403 Forbidden instead?

Create an action filter that inherits from AuthorizeAttribute. Then override this method:

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{ 
   Response.StatusCode = 403;
   Response.Status = "Forbidden";
   Response.StatusDescription = "Forbidden";
   Response.End();
   Response.Close();

}

If the user is not logged in then the more appropriate status code is 401:Unauthorized. This is what the AuthorizeAttribute returns by default.

FormsAuthenticationModule will catch this return code and convert it into the redirect. If you can disable (or not even load it) then this will be returned to the caller.