The way to handle unauthorised requests to Ajax actions in ASP.NET MVC


I have created a view that posts to an action via Ajax with the expectation that the action will return the requested data or an empty string.  Even better, I would like it to be configurable to return whatever value I see fit.

The problem arises when I decorate the called action with the [Authorize] attribute.  If the request is not authorized and I have a loginUrl configured in my web.config, my ajax request will return the html output of my loginUrl view.  That is undesirable.


I can extend the existing Authorize attribute by inheriting from the AuthorizeAttribute class.  Here is the code that extends the Authorize attribute:

public class AjaxAuthorizeOverrideAttribute : AuthorizeAttribute
        public string View { get; set; }

        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
            if (!filterContext.HttpContext.Request.IsAjaxRequest())

            filterContext.Result = new ViewResult { ViewName = View };

Here is the decorator for the ajax action in the controller class:


public ActionResult AjaxRequest()
     return View();

Note: there is no default view page being rendered.


Original article can be found here