StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>The release notes for MVC 4 RC imply this has been resolved since the Beta - which are you using?</p> <p><a href="http://www.asp.net/whitepapers/mvc4-release-notes" rel="nofollow">http://www.asp.net/whitepapers/mvc4-release-notes</a> <em>Unauthorized requests handled by ASP.NET Web API return 401 Unauthroized: Unauthorized requests handled by ASP.NET Web API now return a standard 401 Unauthorized response instead of redirecting the user agent to a login form so that the response can be handled by an Ajax client.</em></p> <p>Looking into the source code for MVC there appears to be an functionality added via SuppressFormsAuthRedirectModule.cs</p> <p><a href="http://aspnetwebstack.codeplex.com/SourceControl/network/forks/BradWilson/AspNetWebStack/changeset/changes/ae1164a2e339#src%2fSystem.Web.Http.WebHost%2fHttpControllerHandler.cs" rel="nofollow">http://aspnetwebstack.codeplex.com/SourceControl/network/forks/BradWilson/AspNetWebStack/changeset/changes/ae1164a2e339#src%2fSystem.Web.Http.WebHost%2fHttpControllerHandler.cs</a>.</p> <pre><code> internal static bool GetEnabled(NameValueCollection appSettings) { // anything but "false" will return true, which is the default behavior </code></pre> <p>So it looks this this is enabled by default and RC should fix your issue without any heroics... as a side point it looks like you can disable this new module using AppSettings <a href="http://d.hatena.ne.jp/shiba-yan/20120430/1335787815" rel="nofollow">http://d.hatena.ne.jp/shiba-yan/20120430/1335787815</a>:</p> <pre><code><appSettings> <Add Key = "webapi:EnableSuppressRedirect" value = "false" /> </appSettings> </code></pre> <p><strong>Edit (example and clarification)</strong></p> <p>I have now created an example for this approach on <a href="https://github.com/markyjones/StackOverflow/tree/master/FormsAuthAndWebApi/FormsAuthAndWebApi" rel="nofollow">GitHub</a>. The new redirection suppression requires that you use the two correct "Authorise" attribute's; MVC Web [System.Web.Mvc.Authorize] and Web API [System.Web.Http.Authorize] in the controllers AND/OR in the global filters <a href="https://github.com/markyjones/StackOverflow/blob/master/FormsAuthAndWebApi/FormsAuthAndWebApi/App_Start/FilterConfig.cs" rel="nofollow">Link</a>.</p> <p>This example does however draw out a limitation of the approach. It appears that the "authorisation" nodes in the web.config will always take priority over MVC routes e.g. config like this will override your rules and still redirect to login:</p> <pre><code><system.web> <authentication mode="Forms"> </authentication> <authorization> <deny users="?"/> //will deny anonymous users to all routes including WebApi </authorization> </system.web> </code></pre> <p>Sadly opening this up for some url routes using the Location element doesn't appear to work and the WebApi calls will continue to be intercepted and redirected to login.</p> <p><em>Solutions</em></p> <p>For MVC applications I am simply suggest removing the config from Web.Config and sticking with Global filters and Attributes in the code. </p> <p>If you must use the authorisation nodes in Web.Config for MVC or have a Hybrid ASP.NET and WebApi application then @PilotBob - in the comments below - has found that sub folders and multiple Web.Config's can be used to have your cake and eat it. </p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload