问题
In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?
回答1:
The following solution works, although I'm not at all sure it's optimal:
public class HttpAuthenticationRequiredResult : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.Response;
response.StatusCode = 401;
response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
response.Flush();
response.Close();
}
}
You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.
回答2:
You can have separate <system.web> sections for separate paths. Here's an example:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authorization>
<allow roles="GoodGuys" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.
In your case, you might want to allow all without authentication:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
回答3:
Had a similar case where I needed to return back something that triggered an undesired redirect (basically a message about how authentication failed and it was redirecting to the login screen without the error information).
This solved the problem:
Response.SuppressFormsAuthenticationRedirect = true;
来源:https://stackoverflow.com/questions/941909/override-asp-net-forms-authentication-for-a-single-page