ASP.NET Core MVC - Redirect to Access Denied Page on 403
I have a relatively simple ASP.NET Core MVC intranet app that was originally written in .NET Core 2.0, but which I'm trying to update to .NET 8.
I'm not making any other changes to it (yet), all I'm doing right now is trying to get it working in .NET 8. The app is using Integrated Windows authentication along with the Authorize attribute and roles property to implement some basic authorization.
This code is supposed to redirect users who receive a 403 response to my AccessDenied page, and it works in .NET Core 2.0, but isn't working in .NET 8. This code was originally in my Startup class, but I've moved it to the Program class for .NET 8 since I got the impression that seems to be what I probably ought to be doing now.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllersWithViews();
builder.Services.AddAuthentication(IISDefaults.AuthenticationScheme);
var app = builder.Build();
app.UseStatusCodePages(statusCodeContext =>
{
if (statusCodeContext.HttpContext.Response.StatusCode == 403)
{
statusCodeContext.HttpContext.Response.Redirect(statusCodeContext.HttpContext.Request.PathBase + "/AccessDenied");
}
return Task.CompletedTask;
});
It just seems to be ignoring the UseStatusCodePages method completely, as far as I can tell. I have to be honest, I'm kind of an amateur programmer so I don't know a lot about the intricacies of ASP.NET Core MVC, so I'm sure I probably copied this code from somewhere online (probably StackOverflow, even) back in 2019. I just can't figure out why it's not working now in .NET 8.
I found other posts with potential solutions, but they either involved things that don't apply here, like using cookies, or they involved adding my own custom middleware, which is a little over my head and seems a little complicated for what used to be relatively simple. I'm hoping I'm just missing something obvious. Thank you very much for your help!
It just seems to be ignoring the UseStatusCodePages method completely, as far as I can tell. I have to be honest, I'm kind of an amateur programmer so I don't know a lot about the intricacies of ASP.NET Core MVC, so I'm sure I probably copied this code from somewhere online (probably StackOverflow, even) back in 2019. I just can't figure out why it's not working now in .NET 8.
Based on your scenario and description I have tried to reproduce your issue and I was able to find the cause why you were not able to redirect to your access denied page while there's an error 403
I have seen that you are using wrong order for UseStatusCodePages redirection defination.
You must need to place UseStatusCodePages between app.UseRouting(); and app.UseAuthentication(); middleware other than, it will always be ignored.
Correct order:
app.UseRouting();
app.UseStatusCodePages(async context =>
{
var response = context.HttpContext.Response;
if (response.StatusCode == 403 || response.StatusCode == 401)
{
response.Redirect("/Users/AccessDenied");
}
await Task.CompletedTask;
});
app.UseAuthentication();
Access Denied Action:
public class UsersController : Controller
{
[AllowAnonymous]
[HttpGet]
public IActionResult AccessDenied()
{
return View();
}
}
Using Middleware:
Alternatively, if you would like to use middleware, in that case, you could try as following:
public class AccessDeniedMiddleware
{
private readonly RequestDelegate _next;
public AccessDeniedMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
await _next(context);
if (context.Response.StatusCode == 401 || context.Response.StatusCode == 403)
{
context.Response.Redirect("/Users/AccessDenied");
}
}
}
Note: await _next(context); must be placed before the context checking conditional.
Middleware order:
app.UseRouting();
app.UseMiddleware<AccessDeniedMiddleware>();
app.UseAuthentication();
Output:
I have tested reproducing both StatusCode 401 and 403, you could set your logic as per your requirement.
- JS redirect from [example.com/home] to [example.com/home?loc=USA] causes infinite loop
- Keep getting "307 Temporary Redirect" before returning status 200 hosted on FastAPI + uvicorn + Docker app - how to return status 200?
- Best Practice: 301 Redirect HTTP to HTTPS (Standard Domain)
- How to Show a 503 Error for a Single Page
- How to Show a 503 Error for a Specific URL on a Website Using .htaccess
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Codeigniter - url segment replace or redirect
- Redirect chain problem in web.config, Windows Server 2020 IIS
- React - redirect to login page when not authenticated
- Nginx no-www to www and www to no-www
- Laravel | Shared hosting routes not working properly
- How to redirect URL containing question mark and a specific string to the root domain with .htaccess
- How to load program reading stdin and taking parameters in gdb?
- Return 301 status code while redirecting URLs Via JavaScript code
- PHP header redirect 301 - what are the implications?
- How to implement a redirect with HTMX?
- Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app
- Nginx Load Balancing
- Symfony 1.2 : weird redirection on a new server
- Http Redirect 302 attempt resulting in "unable to evaluate expression because the code is optimized or a native frame is on top of the call stack"
- Laravel redirect back to original destination after login
- Wordpress site is appears clear of malware, but clicking on Google search results redirects to spam sites
- How to redirect to another page in Remix.run?
- GCP - How do you create a URL Redirect path rule with gcloud url-maps?
- wc_logout_url without confirmation AND redirect to current page in Wordpress WooCommerce
- Webapp does not redirect the page
- Check if bash script was invoked from a shell or another script/application
- Update Browser URL on Redirect
- Redirect visitor to his/her SO profile from my profile
- Apache redirect to another port