Using ClaimsPrincipalPermissionAttribute, how do I catch the SecurityException?
- by Ryan Roark
In my MVC application I have a Controller Action that Deletes a customer, which I'm applying Claims Based Authorization to using WIF.
Problem: if someone doesn't have access they see an exception in the browser (complete with stacktrace), but I'd rather just redirect them.
This works and allows me to redirect:
public ActionResult Delete(int id)
{
try
{
ClaimsPrincipalPermission.CheckAccess("Customer", "Delete");
_supplier.Delete(id);
return RedirectToAction("List");
}
catch (SecurityException ex)
{
return RedirectToAction("NotAuthorized", "Account");
}
}
This works but throws a SecurityException I don't know how to catch (when the user is not authorized):
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation = "Delete", Resource = "Customer")]
public ActionResult Delete(int id)
{
_supplier.Delete(id);
return RedirectToAction("List");
}
I'd like to use the declarative approach, but not sure how to handle unauthorized requests. Any suggestions?