I use the ClaimsPrincipalPermission for authorization in my asp 4.5 website.
This works fine.
But when the user tries to call a page which he is not allowed the error code returned is a 500 and not some like 401.
Is this the expected behavior ? I assume 401 would express more why this page can't be called.
Or do I have an error ? In the debugger I see that a securityexception is correctly thrown.
Is there a way to chjange this behvaior ? Does anyone know why this happens?
ClaimsPrincipalPermission throws a SecurityException. You maybe want to use something that playes nicer with web framework...
see here: http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/