The 200 OK status code is set upstream of the call to HandleUnauthorizedRequest
. Explicitly clearing, setting and ending the response works. SuppressFormsAuthenticationRedirect
doesn't appear to be necessary in this case.
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.HttpContext.Response.Clear();
filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
filterContext.HttpContext.Response.End();
base.HandleUnauthorizedRequest(filterContext);
}