Redirect to another page when user is not authorized in asp.net mvc3

c# asp.net asp.net-mvc asp.net-mvc-3

The default Authorize attribute behaves in such a way that when the user is not authenticated or authenticated but not authorized then it set the status code as 401 (UnAuthorized). When the filter sets the status code as 401 the ASP.NET framework checks if the website has forms authentication enabled and if it is then redirects to loginUrl parameter set up there.

If you want to change that behavior say you want to redirect the user to an AccessDenied controller if the user is authenticated but not authorized then you have to extend the Authorize attribute and override the HandleUnauthorizedRequest method.

For ex.

public class CustomAuthorize: AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
        else
        {
           filterContext.Result = new RedirectToRouteResult(new 
               RouteValueDictionary(new { controller = "AccessDenied" }));
        }
    }
}

You can override the HandleUnauthorizedRequest as per your need and then you have to mark the controller actions to use the CustomAuthorize attribute instead of the built-in one.


I like Mark's Answer,
but I don't want to change all of my action attributes
from [Authorize] to [CustomAuthorize]

I edit Login() action on AccountController
and check Request.IsAuthenticated before show view
I think, if the authenticated user go to /Account/Logon,
I will redirect to /Error/AccessDenied.

    [AllowAnonymous]
    public ActionResult Login(string returnUrl)
    {
        if (Request.IsAuthenticated)
        {
            return RedirectToAction("AccessDenied", "Error");
        }

        ViewBag.ReturnUrl = returnUrl;

        return View();
    }

Place "/Account/LogOn" Instead of "~/Account/LogOn"


Since I did not want to override AuthorizeAttribute I used filter

public class RedirectFilter : ActionFilterAttribute
{
   public override void OnActionExecuting(ActionExecutingContext filterContext)
    {

        if (!IsAuthorized(filterContext))
        {
            filterContext.Result =
                new RedirectToRouteResult(new RouteValueDictionary(new {controller = "AccessDenied"}));
        }
    }

    private bool IsAuthorized(ActionExecutingContext filterContext)
    {
        var descriptor = filterContext.ActionDescriptor;
        var authorizeAttr = descriptor.GetCustomAttributes(typeof(AuthorizeAttribute), false).FirstOrDefault() as AuthorizeAttribute;

        if (authorizeAttr != null)
        {
            if(!authorizeAttr.Users.Contains(filterContext.HttpContext.User.ToString()))
            return false;
        }
        return true;

    }
}

Yes, it is correct as you mentioned in web.config

<forms loginUrl="~/Account/LogOn" timeout="2880" />

redirection is looking for Account controller and LogOn actionresult. If you want to redirect your page, change there instead of account and logon

Related

Access kwargs from a URL in a Django template
jQuery .slideRight effect
Check if a number is non zero using bitwise operators in C
MATLAB: Differences between .mat versions
How to Compress Slot Calls When Using Queued Connection in Qt?
Facebook SDK 3.1 for iOS - runs on iOS6, but crashes on iOS 5.x
Why is there no std::protect?
How to resize Title in a navigation bar dynamically
What does the curly-brace syntax ${var%.*} mean?
How is an array in a PHP foreach loop read?
How should I detect the MIME type of an uploaded file in ASP.NET?
Ajax - Get size of file before downloading