Raising HTTP errors from MVC5

MVC provides a lot of nice friendly ways of doing things, especially around user authorisation and authentication. You can easily mark a section as requiring authorisation and if it fails MVC handles this and takes the client to the logon screen.

But when you start to dig a little into it, things start getting very Microsofty, losing compliance with how the net should work with things like HTTP Status codes.

If you've logged in, but are unauthorised for a certain resource, you should be presented with an 403 error, not a logon screen. You have to implement this logic yourself by overriding the HandleUnauthorizedRequest() of the AuthorizeAttribute and implementing whatever checks you want before triggering some logic to return a 403.

Unfortunately things start to fall apart with IIS and MVC trying to make things easy for you with those confusing "user-friendly" error messages.

I've found the simplest way to handle this is to throw new HttpException(403, "Forbidden"). Then add a relevant tag into your Web.Config's customError section. I set this to point back to another MVC action that can then set the Response.StatusCode = 403 and returns whatever pretty view I want.

In terms of what happens over the wire, you still get an icky 302 when you try to access the original resource, but the final page you land on brings back with the correct 403 error. This should be fine for most web-clients and crawlers.