Problems with authentication on a MVC + REST application

Topics: Web Api
Sep 27, 2011 at 10:50 AM

Hi all

I want to deploy in the same web azure role a MVC3 application + some rest services, it's almost working but when i return a HttpStatusCode.Unauthorized on the services, it's captured by the authentication/membership and it's redirected to the loginUrl defined in the web.config... is there any way to override this behaviour and return just the 401 code?

I have my webservices in /api


Sep 27, 2011 at 3:07 PM

Hi again :)

Just for information, i've "fixed" it using another code as a mask and then, in the global asax change it again to 401.

        protected void Application_EndRequest(Object sender, EventArgs e)
            if (Context.Response.StatusCode == 402)
                //check for 402 - status code of hidden 401
                Context.Response.StatusCode = 401;


Sep 27, 2011 at 5:38 PM

Hi Villagra,

Thanks for reporting the issue. We will log a bug to investigate.

In the meanwhile, can you work around this issue by having MVC3 and rest services in different v-roots so that 401 won't get redirected?


Sep 27, 2011 at 5:44 PM

Hi Villagra,

On your "REST" service, how are the clients authenticated? Basic authentication or using the MVC3 web app cookies?


Sep 27, 2011 at 10:52 PM
Edited Sep 27, 2011 at 10:52 PM

The "trick" that I use is to have all of my Web API routes begin with the same root (i.e.  /api/myresource1/, /api/myresource2/). I then create a dummy folder called "api" in my website, and place a web.config file there with the appropriate settings (i.e. <authentication mode="None"></authentication>). ASP.NET will respect any configuration settings in that folder for any route that begins with "api".

This is how I handle authorization as well.

Sep 28, 2011 at 7:26 AM

Hi all, 

Thank you for your answers...  as howarddierking says, it's all caused by forms authentication module, and rest services works properly if i disable it but i'm using it in the MVC website so i was looking for a way to override just the redirection and return the 401.

@pmhsfelix: basic authentication 

@cb55555, that only works if you define the /api as another virtual directory, otherwise you'll get an exception because the 2 authentication modes....   and i cannot create /api as a virtual directory because i'm using azure and i want to deploy in the same role.

Sep 28, 2011 at 10:48 AM

Latest Azure does support multiple web sites and virtual directories under same web role.

Sep 28, 2011 at 10:50 AM

@pekkah thanks! 

How to Configure a Web Role for Multiple Web Sites

Sep 28, 2011 at 5:42 PM

villagra you could write a custom http module to detect the redirect and change it back to a 401.

Dec 30, 2011 at 3:01 AM
gblock wrote:

villagra you could write a custom http module to detect the redirect and change it back to a 401.


I'm currently employing this strategy (hosted in Azure under a single web role).  My setup is like:

MVC app: (Forms Authentication)

Services: (custom Basic Authentication via DelegatingHandler, custom HttpModule to hijack the Forms Authentication redirect)

It seems like the proper solution would be to set up two distinct sites like:

MVC app: (Forms Authentication)

Services: (authentication set to None but performing custom Basic Authentication via DelegatingHandler)

Does the community agree?