https://stackoverflow.com/questions/13910115
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianClaimsPrincipalPermission throws a SecurityException. You maybe want to use something that playes nicer with web framework...
see here: http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
ClaimsPrincipalPermission - Error Code
-
10-12-2021 - |
Question
I use the ClaimsPrincipalPermission for authorization in my asp 4.5 website.
This works fine.
But when the user tries to call a page which he is not allowed the error code returned is a 500 and not some like 401.
Is this the expected behavior ? I assume 401 would express more why this page can't be called.
Or do I have an error ? In the debugger I see that a securityexception is correctly thrown.
Is there a way to chjange this behvaior ? Does anyone know why this happens?
Solution
OTHER TIPS
The 500 error code does appear to be default response for SecurityExceptions.
The reasoning makes sense to me because ASP.NET doesn't necessarily know that its the user who is being denied access, all it knows is a SecurityException got thrown somewhere. Your website itself might have had insufficient permissions to do something, in which case a 500 should be expected.
Exception filters are a good way to analyze uncaught exceptions and figure out what HTTP code you want to return.
ClaimsPrincipalPermissionAttribute is invoked by CLR and throws SecurityException in case of role check fail. Check here for solution.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
