Best IT Recipes

Customerrors for 401.2 in ASP.NET

I have successfully implemented role-based authorization in ASP.NET. When a person does not have the necessary role, he receives an error page for 401.2, which is not authorized.

What I would like to do now is create a custom 401 page in my application and redirect there through the settings in web.config. I tried this:

<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="401" redirect="NoAccess.htm" /> </customErrors>

But they will not get it. Do I need to override it in IIS? I hope this is not the case because it will speed up the deployment process.

+7
custom-errors
Jan 13
source share
4 answers

I recently ran into the same problem, and it turned out that this is one of the quirks when using Windows Authentication.

Joshua Flanagan created a nice HttpModule some time ago that will respect the customErrors section in your web.config and redirect to 401 error page.

The key to the solution is to intercept the EndRequest event of the page life cycle, check the status code 401, and execute your custom page.

HttpModule's portability is good because it makes the solution reusable and keeps your Global.asax clean, but there is nothing that would prevent you from hooking your EndRequest event into Global.asax with its code if you really wanted to.

If you use ASP.NET MVC, the solution is not so elegant.

+7
Feb 06 '10 at 1:23
source share

If you do not want to add an HttpModule

in web.config

 <system.web> <customErrors mode="On" defaultRedirect="~/MyController/MyErrorAction/" redirectMode="ResponseRedirect"> <error statusCode="401" redirect="~/MyController/MyErrorAction/" /> </customErrors>

in global.asax.cs

  protected void Application_EndRequest(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; if (application.Response.StatusCode != 401 || !application.Request.IsAuthenticated) return; application.Response.ClearContent(); //You can replace the piece below is to redirect using MVC, or your can replace all this with application.Server.Execute(yourPage); IController errorController = new SharedController(); var rd = new RouteData(); rd.Values.Add("controller", "MyController"); rd.Values.Add("action", "MyErrorAction"); rd.Values.Add("value", "You or your user group do not have permissions to use the address: " + Request.Url.PathAndQuery); errorController.Execute(new RequestContext(new HttpContextWrapper(Context), rd)); HttpContext.Current.Server.ClearError(); }
+3
Sep 17 '12 at 18:37
source share

Here's an agnostic version of MVC:

In web.config

 <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="401" redirect="NoAccess.htm" /> </customErrors>

In Global.asax.cs

 protected void Application_EndRequest(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; if (application.Response.StatusCode != 401 || !application.Request.IsAuthenticated) return; var customErrors = (CustomErrorsSection)ConfigurationManager.GetSection("system.web/customErrors"); var accessDeniedPath = customErrors.Errors["401"] != null ? customErrors.Errors["401"].Redirect : customErrors.DefaultRedirect; if (string.IsNullOrEmpty(accessDeniedPath)) return; // Let other code handle it (probably IIS). application.Response.ClearContent(); application.Server.Execute(accessDeniedPath); HttpContext.Current.Server.ClearError(); }
+3
Aug 29 '13 at 9:11
source share

Here is what worked for me.

Global.asax -

  protected void Application_EndRequest(object sender, EventArgs e) { if (Response.StatusCode == 401 && Request.IsAuthenticated) { Response.StatusCode = 303; Response.Clear(); Response.Redirect("~/AccessDenied.html"); Response.End(); } }

Web.config -

  <system.web> <customErrors mode="On"> <error statusCode="401" redirect="AccessDenied.html"/> </customErrors> <authentication mode="Windows"/> </system.web> <location path="AccessDenied.html"> <system.web> <authorization> <allow roles="*"/> </authorization> </system.web> </location> <location path="."> <system.web> <authorization> <allow roles="YourADGroup"/> <deny users="*" /> </authorization> </system.web> </location>

This applies to double 401 to 200 questions. Also bypasses the false firefox authentication popup.

+2
May 14 '15 at 23:47
source share


More articles:


All Articles