MVC Authorize Roles goes to Login view?

Question

Put the [Authorize(Roles="admin")] on a view, it works as the user is redirected, however, they are always redirected to the login view despite the fact they are already logged in. How can I change this so it goes to an error page or something similar?

Well I simply put the Authorize above the controller view I wish to make available only to certain roles so whenever that url is accessed really. At the moment going to that route and not being in the role returns the login view? — user1166905, Oct 24 '13 at 10:04
possible duplicate of [How do I serve up an Unauthorized page when a user is not in the Authorized Roles?](http://stackoverflow.com/questions/2322366/how-do-i-serve-up-an-unauthorized-page-when-a-user-is-not-in-the-authorized-role) — CodeCaster, Oct 24 '13 at 10:07
The 2nd answer on this question http://stackoverflow.com/questions/11087677/prevent-formsauthenticationmodule-of-intercepting-asp-net-web-api-responses/17500218#17500218 has allowed me to catch it. But doesn't hit custom error page defined in Application_Error method, how can I change to go to same custom error page? — user1166905, Oct 24 '13 at 11:43

score 1 · Accepted Answer · answered Oct 24 '13 at 12:20

1

you can create a custom authorize attribute like this

public class CustomAuthorize : AuthorizeAttribute
    {

        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                base.HandleUnauthorizedRequest(filterContext);
            }
            else
            {
                filterContext.Result = new RedirectToRouteResult(new
                RouteValueDictionary(new { controller = "Home", action = "UnAuthorized" }));

            }
        }
    }

and use it like this

[CustomAuthorize(Roles="admin")]

Hope this helps

answered Oct 24 '13 at 12:20

Anto Subash

3,140
2
22
30

I literally put my answer at the same time as this but it's basically what I was after so I'll mark yours as correct. – user1166905 Oct 24 '13 at 12:21
Out of interest would you recommend using RedirectToRouteResult over RedirectResult? If so why? – user1166905 Oct 24 '13 at 12:23
i'm not an expert but i had problems with `RedirectResult` during the re-factoring because of the hardcoded paths. – Anto Subash Oct 24 '13 at 12:31

score 0 · Answer 2 · edited May 23 '17 at 12:21

Instead of the duplicate offered I used code from the question: Prevent FormsAuthenticationModule of intercepting ASP.NET Web API responses and modified accordingly:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeCustom : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            filterContext.Result = new RedirectResult("/Error/Unauthorized");
        }
        else
        {
            if (filterContext.HttpContext.Request.IsAjaxRequest())
            {
                filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
            }
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Then just created a view for the "/Error/Unauthorized" route and changed the attribute [Authorize] to [AuthorizeCustom]. Now unauthorized people will be redirected to login as expected and people who aren't in roles are redirected to a custom view.

MVC Authorize Roles goes to Login view?

2 Answers2