Last post Dec 04, 2019 08:22 AM by PatriceSc
Dec 02, 2019 06:04 AM|JoeyWang|LINK
the work flow as below
I search it from internet and get the below information.
The browser pops up a login prompt when both of the following conditions are met:
So, I try to remove "WWW-Authenticate", but never success. As long as I set "StatusCode = System.Net.HttpStatusCode.Unauthorized" for "HttpResponseMessage", the client browser always get "WWW-Authenticate". It seems the window authentication module in IIS
cover the information.
So, my question is that
Dec 02, 2019 06:01 PM|bruce (sqlwork.com)|LINK
the authorization attribute by default, just say not authorized, when always redirect to the login process (in your case a 401). to get the behavior your want, if the user is authenticated, but fails authorization, this is typically treated as a forbidden
error (403). This behavior has to be enabled in webapi. in asp.net core, this is enabled via a policy.
Dec 03, 2019 02:18 AM|JoeyWang|LINK
Thanks for your replay.
If one user has not permission, then response to client with forbidden. And shows error page to tell user has not permission.
Thus, how to popup login dialog again? Even I refresh the page, it seems request with previous token to server again. Since "forbidden" result to the header with "Persistent-auth: true" instead of "WWW-Authenticate". So login dialog no longer shows again.
How to resolve it?
Dec 03, 2019 09:24 AM|Yongqing Yu|LINK
According to your description, we tested with your idea.
To implement the requirements you mentioned, I suggest you add the following code in the custom AuthorizationFilterAttribute method：
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
For more details, you could refer to this link :
Unauthorised webapi call returning login page rather than 401
Dec 04, 2019 08:00 AM|JoeyWang|LINK
Thanks for your reply.
Actually I did it like you mentioned as below.
HttpResponseMessage responseMessage = new HttpResponseMessage()
Content = new StringContent(JsonConvert.SerializeObject(message)),
//StatusCode = System.Net.HttpStatusCode.Forbidden
StatusCode = System.Net.HttpStatusCode.Unauthorized
But there is a bad user practice. When it response Unauthorized to client. The login dialog would flash once, and login dialog appears again.
The Expected is that enter user account and password and clicking OK button, then server side response Unauthorized to client. Then login dialog disappears and show error page to tell user has not permission. Click login button to show login dialog again.
The above is the question 1.
The question 2, if I use "Forbidden" instead of Unauthorized, then I could implement the above expected, but login dialog would be no longer show again.
The question 3, if I enter the incorrect account or password, then it response statuscode as 0, and the login dialog also cannot show again. Even I press f5 to refresh it. Unless I close chrome and open it again.
Well, window authentication is not easy to use.
Dec 04, 2019 08:22 AM|PatriceSc|LINK
window authentication is not easy to use
It shopuld do pretty much all for you given few restrictions. Your web site and your API are both on the same site in your local intranet domain ? A problem might be that Windows authentication is not really SSO but rather authenticate the user automatically
if possible against each and every site which might be perhaps your issue?