Blog

ASP.NET MVC Controllers: HttpNotFoundResult

By Martin Schaeferle

The controller in an MVC application is the traffic cop that keeps everything working smoothly. A controller is responsible for responding to user input and managing the overall flow of the application. In short, the controller is responsible for doing whatever is necessary to service requests from users, using the tools at its disposal: models and views. You can think of a controller as being responsible for application logic, how the application itself works. In this article you'll learn about the features, specifically HttpNotFoundResult, on ASP.NET MVC that can simplify the controller code you write.

HttpNotFoundResult

HttpNotFoundResult is useful when you want to indicate that a requested resource is not available. It can be useful to handle situations where a user hacks a URL to request an out of bounds ID value. The action result returns an HTTP 404 status code, which can mask an exception the user would otherwise get that can inadvertently leak information about how the Web site works to an attacker.

For example, the Index view of the Home controller has the following code, which provides two links. Assuming that you have created at least one dog using the DogController, the first link displays the Details view for the dog. The code uses the ActionLink HTML helper method to build the link, providing the id value using the route values parameter. The second link attempts to view the details for a dog with the id value of 10000, which, unless you have entered a lot of dogs manually in the sample application, doesn't exist.

Under normal circumstances, the second link will cause an exception when the view attempts to display a null dog, which you can handle using ASP.NET exception handling either locally or globally. But this kind of problem really is a resource not found error, and an HTTP 404 status is ideally suited for this situation.

 <p> Resource: @Html.ActionLink("Exists", "Details", "Dog", new { id = 0 }, null) &nbsp; @Html.ActionLink("Missing", "Details", "Dog", new { id = 10000 }, null) &nbsp; <a href="http://blogs.learnnowonline.com/Dog/SeedDogs">[Seed Dogs]</a> </p>

The Dog controller also has a SeedDogs action method that adds three dogs to the dogs collection, saving you the trouble of manually adding a few dogs before trying out the code in this section.

 public ActionResult SeedDogs() { Models.Dog dog = new Models.Dog(); dog.Name = "Mardy"; dog.Age = 13; dogs.Add(dog); ... adds two more dogs return RedirectToAction("Index", "Home"); }

The following code implements the Details action method called by the ActionLink URL. If the dog object is null after trying to retrieve the selected Dog object from the dogs list, the code returns the HttpNotFound action result. This results in the 404 HTTP status code, and you can produce a custom page to show the user.

 public ActionResult Details(int id) { Models.Dog dog = dogs.Find(d => d.ID == id); if (dog == null) return HttpNotFound(); return View(dog); }

Requesting such an out of bounds value might cause an exception in an action method, so this way the user gets an exception that really does indicate the correct situation. It also prevents an attacker from probing the application and learning potentially damaging information.

Get more training on ASP.NET MVC 2 & 3!



Martin Schaeferle
Martin Schaeferle has taught IT professionals nationwide to develop applications using Visual Basic, Microsoft SQL Server, ASP, and XML. He has been a featured speaker at Microsoft Tech-Ed and the Microsoft NCD Channel Summit, and he specializes in developing Visual Basic database applications, COM-based components, and ASP-based Web sites. In addition to writing and presenting technical training content, Martin is also LearnNowOnline's vice president of technology.


This blog entry was originally posted August 08, 2012 by Martin Schaeferle

MVC ASP.NET Web Development