Does AuthorizeAttribute not work if the URL has a query string?

Question

Does AuthorizeAttribute not work if the URL has a query string?

In an ASP.NET MVC3 web application, the entire controller has a [Authorize] attribute attached to it. Therefore, if the user is not logged in or the session has expired, they will be redirected to the login page. It works ... sometimes. The URLs in the "works" list below are redirected correctly to the login page; the URLs in the "not working" list display the IIS 401 error screen - they are not redirected to the login page.

Work

Does not work

The model for the MyAction action has a public string ReturnUrl { get; set; } public string ReturnUrl { get; set; } public string ReturnUrl { get; set; } in its base class. It also has other properties, but adding them to the query string does not affect input redirection. This seems to be just the ReturnUrl parameter.

I'm not sure what else to see. Any ideas why ReturnUrl options might cause problems?

Routes

 routes.MapRoute("Default-Title-ID", "{Controller}/{Action}/{Title}_{ID}", namespaces); routes.MapRoute("Default-ID", "{Controller}/{Action}/{ID}", namespaces); routes.MapRoute("Default", "{Controller}/{Action}", new { Controller = "Home", Action = "Index" }, namespaces); routes.MapPageRoute("Reports-View", "ViewReport_{ID}", "~/Views/Reports/View.aspx");

Working example (well, it doesn't work, but illustrates the problem.)

Download the solution here: https://docs.google.com/file/d/0B4o6vqgNLpvbeVo4bVdKZWFMcEE/edit?usp=sharing

And then try visiting:

http://your.local.host/Test/TestMe?ReturnUrl= - you will not go to the login page.
http://your.local.host/Test/TestMe - you will be redirected to the login page.

+4

authentication asp.net-mvc-3 iis-8

Josh M. Apr 20 '13 at 2:53

source share

1 answer

mateuscb · Accepted Answer · 2014-03-16T02:50:04+0000

I wanted to post this as a comment, but I'm too long. I needed a dynamic redirect for one of my applications and used the following solution (it uses a controller that called it instead of the static URL in web.config). By testing this example, you fix the problem. But I can’t understand why. Perhaps this will lead you to the right path, or someone else may clarify.

 using System.Web.Mvc; using System.Web.Routing; namespace MvcApplication1.App_Start { public class LoginRequiredAttribute : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); if (filterContext.Result is HttpUnauthorizedResult) { filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "controller", filterContext.RouteData.Values[ "controller" ] }, { "action", "Login" }, { "ReturnUrl", filterContext.HttpContext.Request.RawUrl } }); } } } }

Then just change the action to use the new attribute:

 [LoginRequired] public ActionResult TestMe()

Does AuthorizeAttribute not work if the URL has a query string?

More articles: