ASP. net mvc returns the unauthorized (401) status when constructing a restful Service

In the past two days, when building a restful service client, I thought it was already smooth, And I encountered a problem when I got off work.

I plan to return the HTTP exception status (400-599) handled by the server provider to the client component one by one, after receiving the status codes, the client throws the client exception based on the number and description content returned from the server. In the test result, a problem occurs: In my assumption, the client receives the 401 error, then read the status description in response (I used a custom format. For more information, see the previous blog). unexpectedly, the server sent 401 messages and the client did not throw an exception, and read the atom feed Code An error was reported when parsing atom feed, which surprised me very much. After checking httpstatuscode, I found that 200 was returned! The benefit of restful is that you can call the service through a browser and paste the URL to the browser. The original returned result is the logon view... I know something about it. I dare to think about MVC. This guy is smart. He handed 401 to the authentication module to execute unauthorized handler, the entire process is similar to the process where the user does not log on when using the authorize feature (because in fact, when executing the authorization filter, the statuscode of response is also set to 401 through the httpunauthorizedresult instance ). But now I am using a client to call web service. What is the use of a logon interface for me? Besides, I just don't have the permission to access a service method (Action), and I don't have the permission to log on. Should I use 403 instead of 401? But this is not what I want. After some searches, I found that in httpapplication. the endrequest event looks acceptable. The msdn description is as follows: "In ASP. net responds to the request as the last event in the HTTP execution pipeline chain. "The last event should have passed the authentication module, however, I always feel that it is too "heavy" to put such a thing in the application to handle it. Any other error code can be processed as an actionresult, A 401 million is so special. Besides, the old man has always hated "Privilege "... find another solution, httpresponsebase. the end method. The msdn description is as follows: "When re-writing in a derived class, send all the output of the current buffer to the client, stop the process that executes the request, and raise the endrequest event." In other words, the endrequest is sent by the end method, and "stop the process of executing the request" before this, so that the authentication module has no chance to execute it. In this way, you do not need to go to the logon action. Haha, test now:

This. httpcontext. response. Clear (); this. httpcontext. response. statuscode = 401; this. httpcontext. response. End (); return New emptyresult ();
 

Use Chrome to check the response code first

Sure enough, as expected, 401 was obtained, and the Code was changed accordingly. The code was put into httpstatusresult, and the client got 401 and completed.

Finally, let's talk about the web. if the <authentication/> Configuration node in config is removed, the expected results can also be obtained. If you are interested, try it (this does not meet my requirements, so I did not perform a test ).