Configure WebAPI Access Denied Response

Question

Configure WebAPI Access Denied Response

I am developing an ASP.net WebAPI application with OAUTH 2.0 authentication with a split STS (token) and custom JSON formatting (ServiceStack.Text).

I'm trying to tweak the access denied object / message to make it uniform with the rest of the error messages, but I haven't found a way to change it.

I also think the default formatter is used in this case.

Example:

{
  "Message": "Authorization has been denied for this request."
}

Result:

{
  "message": "... insert error message here ...",
  "details": null
}

Thanks in advance.

+3

c # rest asp.net asp.net-web-api oauth-2.0

iRubens Apr 28 15 at 6:40 am

source to share

2 answers

Manik arora · Answer 1 · 2015-04-28T07:16:22+0000

You can return a custom response for the current one HttpActionContext

with a class that you can define its members for.

            public override void OnActionExecuting(HttpActionContext actionContext)
            {
                    bool isAuthenticated = IsAuthenticated(actionContext);

                    if (!isAuthenticated)
                    {
                        actionContext.Response = actionExecutedContext.Request.CreateResponse<CustomActionResult>(HttpStatusCode.Unauthorized, new CustomActionResult
                        {
                            Message = "... insert error message here ...",
                            Details = null
                        });
                    }
                }
            }

            public class CustomActionResult
            {
                public string Message { get; set; }
                public string Details { get; set; }
            }

kmcnamee · Answer 2 · 2015-04-28T18:57:42+0000

To change all Access Denied messages for the entire ASP.NET website, you can create an HttpModule for all unauthorized statuses returned from your site. In the HttpModule you can handle the EndRequest event and you can check the response.StatusCode if it is 401 you can change the message to whatever you want. For example:

    public class AuthorizeMsgModule : IHttpModule
    {            
        public void Init(HttpApplication context)
        {                
            context.EndRequest += OnApplicationEndRequest;
        }


        // If the request was unauthorized, modify the response sent to the user
        private static void OnApplicationEndRequest(object sender, EventArgs e)
        {
            var response = HttpContext.Current.Response;
            if (response.StatusCode == 401)
            {
                response.ClearContent();
                response.Write("{\"message\": \"... insert error message here ...\",\"details\": null}");                    
            }
        }

        public void Dispose()
        {
        }
    }

Register your module in web.config file, for example:

<modules runAllManagedModulesForAllRequests="true">
  <add name="AuthorizeMsgModule" type="mynamespace.AuthorizeMsgModule, myassembly" />
</modules>

This will give you the content you write when you return the 401 status. As you can see here in the fiddler.

fiddler

Configure WebAPI Access Denied Response

More articles: