401 response code for json requests with ASP.NET MVC

asp.net-mvc

Solution 1:

In classic ASP.NET you get a 401 http response code when calling a WebMethod with Ajax. I hope they'll change it in future versions of ASP.NET MVC. Right now I'm using this hack:

protected void Application_EndRequest()
{
    if (Context.Response.StatusCode == 302 && Context.Request.Headers["X-Requested-With"] == "XMLHttpRequest")
    {
        Context.Response.Clear();
        Context.Response.StatusCode = 401;
    }
}

Solution 2:

The ASP.NET runtime is developed so that it always will redirect the user if the HttpResponse.StatusCode is set to 401, but only if the <authentication /> section of the Web.config is found.

Removing the authentication section will require you to implement the redirection to the login page in your attribute, but this shouldn't be a big deal.

Solution 3:

I wanted both Forms authentication and to return a 401 for Ajax requests that were not authenticated.

In the end, I created a custom AuthorizeAttribute and decorated the controller methods. (This is on .Net 4.5)

//web.config

<authentication mode="Forms">
</authentication>

//controller

[Authorize(Roles = "Administrator,User"), Response302to401]
[AcceptVerbs("Get")]
public async Task<JsonResult> GetDocuments()
{
    string requestUri = User.Identity.Name.ToLower() + "/document";
    RequestKeyHttpClient<IEnumerable<DocumentModel>, string> client =
        new RequestKeyHttpClient<IEnumerable<DocumentModel>, string>(requestUri);

    var documents = await client.GetManyAsync<IEnumerable<DocumentModel>>();

    return Json(documents, JsonRequestBehavior.AllowGet);
}

//authorizeAttribute

public class Response302to401 : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            if (filterContext.HttpContext.Request.IsAjaxRequest())
            {
                filterContext.Result = new JsonResult
                {
                    Data = new { Message = "Your session has died a terrible and gruesome death" },
                    JsonRequestBehavior = JsonRequestBehavior.AllowGet
                };
                filterContext.HttpContext.Response.StatusCode = 401;
                filterContext.HttpContext.Response.StatusDescription = "Humans and robots must authenticate";
                filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
            }
        }
        //base.HandleUnauthorizedRequest(filterContext);
    }
}

Related

Regex in JavaScript for validating decimal numbers
Uploading multiple files in a single request using python requests module
Populating a ComboBox using C#
How do I programmatically locate my Dropbox folder using C#?
How do you set CMAKE_C_COMPILER and CMAKE_CXX_COMPILER for building Assimp for iOS?
Getting file extension in C
Publishing/subscribing multiple subsets of the same server collection
How to present a modal atop the current view in Swift
Usage of Hash(#) in URL
difference between presentViewController and UINavigationController?
Git pull fails with bad pack header error
convert List<List<object>> to IList<IList<object>>