Derived ClaimsAuthorizationManager.CheckAccess Returning False in ASP.net
MVC Web API
Sources say that if a child class of ClaimsAuthorizationManager's
CheckAccess returns false, by framework design, it throws a security
exception.
There seems to be no way to catch this error if I want to decorate an
ApiController's function with (for example)
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation="Read",
Resource="Something")].
I already created a sample AuthorizationManager, deriving
ClaimsAuthorizationManager, and registered it in web.config. This
configuration part works.
public class AuthorizationManager : ClaimsAuthorizationManager
{
public override bool CheckAccess(AuthorizationContext context)
{
return false; // just to show that it will throw the security
exception
}
}
So, I set up authorization to fail no matter what, but I want to return a
401 response back to the user instead of that "invasive" 500 (Security
exception returned as Internal Server Error).
Nobody seems to have an answer for this anywhere, and it seems like we'll
just settle for the 500 to communicate unauthorized access to clients.
No comments:
Post a Comment