I've read
How to easily redirect if not authenticated in MVC 3? and
Redirect to AccessDenied page when user is not authorized but the link from an answer (means http://wekeroad.com/2008/03/12/aspnet-mvc-securing-your-controller-actions/) doesn't work.
I put
[Authorize(Users = "test")]
public class RestrictedPageController: Controller
{
public ActionResult Index()
{
return View();
}
....
}
And in my web.config, I have already
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
accordingly with https://stackoverflow.com/a/6770583/998696
But when I want to access /RestrictedPage/Index
, it must redirect me to other page (from other controller). Instead of this, the error appears like:
Server Error in '/Project' Application.
The view 'LogOn' or its master was not found or no view engine supports the searched locations. The following locations were searched:
~/Views/Account/LogOn.aspx
~/Views/Account/LogOn.ascx
~/Views/Shared/LogOn.aspx
~/Views/Shared/LogOn.ascx
~/Views/Account/LogOn.cshtml
~/Views/Account/LogOn.vbhtml
~/Views/Shared/LogOn.cshtml
~/Views/Shared/LogOn.vbhtml
Before login, the Logon
page form appears correctly but the above error appears when accessing /RestrictedPage/Index
page. I can login with user different one authorized to access RestrictedPage
page.
Where is my mistake and how setup redirection ?
Best Answer
The default
Authorize
attribute behaves in such a way that when the user is not authenticated or authenticated but not authorized then it set the status code as 401 (UnAuthorized). When the filter sets the status code as 401 the ASP.NET framework checks if the website has forms authentication enabled and if it is then redirects tologinUrl
parameter set up there.If you want to change that behavior say you want to redirect the user to an
AccessDenied
controller if the user is authenticated but not authorized then you have to extend theAuthorize
attribute and override theHandleUnauthorizedRequest
method.For ex.
You can override the
HandleUnauthorizedRequest
as per your need and then you have to mark the controller actions to use theCustomAuthorize
attribute instead of the built-in one.