Login/Register
Sending message with 401: Asp.net Web-api
Asked Answered
asp.net-mvcasp.net-mvc-4asp.net-web-apihttp-status-code-401
L

2

6

I am in asp.net web API. In login method I check the user/password against the db and if they do not match, I return 401 status code along with invalid user or password method like

var content = new StringContent("Invalid user name or password");
var message = new HttpResponseMessage(HttpStatusCode.Unauthorized);
message.Content = content;
throw new HttpResponseException(message);

But API seems to ignore my message and simply return some HTML like

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

Why is that? How can I override this?

Levo answered 20/9, 2012 at 11:37 Comment(0)
H
1

One potential cause of this response is the IIS web site being configured to allow Forms authentication. Look at this older but still valid post on configuring IIS to disable Forms authentication for the Web API.

Holdfast answered 20/9, 2012 at 12:20 Comment(2)
If that was the case, wouldn't it redirect to login page despite of throwing custom html for 401?Levo
Please note that response code is correct 401 and its not redirecting to login page. Problem is just that it is returning html of its own choice.Levo
S
1

I believe the response you are getting is from IIS and not from Web Api. If you want to handle the authentication process yourself within your API you need to tell IIS that anonymous access is allowed so that it will get out of the way.

Also, when you return a 401 you MUST return a www-authenticate header (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2). This tells the client what type of authentication is allowed.

Sextillion answered 20/9, 2012 at 12:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.