I also had this issue. Code in the OP’s question is perfectly working except the custom error code in <system.web>
section in the web.config
file. To fix the issue what I need to do was add the following code to <system.webServer>
. Note that ‘webserver’
instead of ‘web’
.
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="403" />
<error statusCode="403" responseMode="ExecuteURL" path="/Error/UnAuthorized" />
</httpErrors>
If someone is using following environment, here is the complete solution:
The Environment:
- Visual Studio 2013 Update 4
- Microsoft .NET Framework 4.5.1 with ASP.NET MVC 5
- Project: ASP.NET Web Application with MVC & Authentication: Individual User Account template
Custom Attribute class:
Add the following class to your web site’s default namespace. The reason explained here in the accepted answer Stack Overflow question: Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAuthenticated)
{
filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
Then add the following code the web.config
file
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="403" />
<error statusCode="403" responseMode="ExecuteURL" path="/Error/UnAuthorized" />
</httpErrors>
</system.webServer>
Following article explain more about this: ASP.NET MVC: Improving the Authorize Attribute (403 Forbidden)
And httpErrors in web.config section in this article: Demystifying ASP.NET MVC 5 Error Pages and Error Logging
Then add the ErrorController.cs to Controllers folder
public class ErrorController : Controller
{
// GET: UnAuthorized
public ActionResult UnAuthorized()
{
return View();
}
public ActionResult Error()
{
return View();
}
}
Then add a UnAuthorized.cshtml to View/Shared folder
@{
ViewBag.Title = "Your Request Unauthorized !"; //Customise as required
}
<h2>@ViewBag.Title.</h2>
This will show customised error page instead of browser generated error page.
Also note that for the above environment, it is not required to comment the code inside RegisterGlobalFilters
method added by the template as suggested in one of the answers.
Please note that I just cut and paste code from my working project therefore I used Unauthorized
instead OP’s NoPermissions
in the above code.