Prevent browser authentication ASP.NET Web API dialog on 401

Peterjc 81 Reputation points
2022-08-29T01:20:05.597+00:00

I have an existing ASP.NET Webforms / MVC application (it uses a mixture of technologies), to which I want to add a Web API to use for external ajax API calls (to replace older web services and WCF).

The existing ASP.NET WebForms application uses forms authentication, so if a login fails, it will redirect to a Webforms login page. I do NOT not want this for the Web API, I always just want to return json data (not a bunch of HTML).

To disable the login form, I found I could add the following to Global.asax: 

protected void Application_BeginRequest(Object sender, EventArgs e)  
{        
    string testPath = $"{Context.Request.ApplicationPath.ToLowerInvariant()}/{BaseConstants.WebApiRoutePrefix}/";  
    bool isWebApiRequest = Context.Request.Path.ToLower().Contains(testPath);        
  
    if (isWebApiRequest && FormsAuthentication.IsEnabled && !Context.Request.IsAuthenticated)  
    {  
        Context.Response.SuppressFormsAuthenticationRedirect = true;  <---- this disables the login page  
    }  
}

The above does stop the login page, but I then noticed the Web API calls could go through with no authentication at all.

So I created an authorization attribute to use for the Web API controllers: 

public class WebApiAuthorizationAttribute : System.Web.Http.AuthorizeAttribute  
{  
    public override void OnAuthorization(HttpActionContext actionContext)  
    {  
        ..   
        // if not auth returns a HttpStatusCode.Unauthorized,  
    }  
}

This code (almost) all works fine, however, just before I get the response for my Ajax call (in my case from an Angular app), I always get a browser login dialog...

235613-image.png

If I click cancel, I then get the response back in the Angular application with the JSON etc I am after.

Can I stop the dialog from displaying, so I just get back any error JSON?

Thanks in advance

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,285 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
301 questions
0 comments
Accepted answer
  1. Lan Huang-MSFT 25,871 Reputation points Microsoft Vendor
    2022-08-29T06:46:38.737+00:00

    Hi @Peterjc ,
    Browser authentication forms are typically used in intranets that have Windows authentication. Instead of forms authentication.
    Take a look at IIS express configurations: %USERPROFILE%\Documents\IISExpress\config\applicationhost.config Make sure authentication settings are correct and not affecting you.
    There should not be any entry for your application. Also the default value for windows authentication should be false: <windowsAuthentication enabled="false">
    You can open the Properties window in Visual Studio. Set Anonymous Authentication to Enabled and Windows Authentication to Disabled.
    https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
    Best regards,
    Lan Huang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 56,851 Reputation points
    2022-08-30T20:45:08.28+00:00

    typically you add a header to the Ajax call to identify it as an Ajax call. then in OnAuthorization you check for the header. if present, instead of redirecting to the login (default processing) just return the error json with Response.Write & Response.End