3

I am working on an ASP.NET Core 2 web application. I am handling Access Denied page for [Authorize (roles OR policies)] pages.

By default, Instead of showing the original URL and returning 403 status, ASP.NET Core 2.0 redirects the request to an AccessDenied page with status is 302 -> This is not what I want.

Instead of redirecting AccessDenied page. I want ASP.NET Core throws my custom ForbiddenException exception so I can handle unauthorized accesses like I do for Unhandled exceptions.

Here is my authentication configuration:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies       
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
})
.AddCookie(options => {

    options.LoginPath = "/Auth/Login/";
    options.LogoutPath = "/Auth/Logout/";

    // I want disable this and throw ForbiddenException instead.
    options.AccessDeniedPath = "/Auth/AccessDenied/";  
});

Anyone has any help? Thank you!

Improve this question

1 Answer 1

Reset to default
8

The code for redirecting to AccessDeniedPath is handled by CookieAuthenticationEvents.OnRedirectToAccessDenied, included here for completeness:

public Func<RedirectContext<CookieAuthenticationOptions>, Task> OnRedirectToAccessDenied { get; set; } = context =>
{
    if (IsAjaxRequest(context.Request))
    {
        context.Response.Headers["Location"] = context.RedirectUri;
        context.Response.StatusCode = 403;
    }
    else
    {
        context.Response.Redirect(context.RedirectUri);
    }
    return Task.CompletedTask;
};

In order to override this behavior, you can provide your own implementation of OnRedirectToAccessDenied, that can either write to the response or, in your case, throw an exception. To do that, you can use something like the following:

services.AddAuthentication(...)
    .AddCookie(options => {
        // ...
        options.Events.OnRedirectToAccessDenied = context => {
            // Your code here.
            // e.g.
            throw new YouAreNotWelcomeHereException();
        };
    });

Here, context is an instance of RedirectContext, which (through its inheritance tree), contains properties such as:

Using these properties, you can obtain any information you need about the incoming request. You can also write your own response, etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.