Reputation: 839
AllowAnonymous attribute being ignored in MVC4 with ClaimsAuthorizationManager
I'm trying to use a custom ClaimsAuthorizationManager based on the excellent work from Dominic Baier within a new MVC4 application which is still very much based on the out-of-box Internet template and when I configure it it seems to want to authorize everything and ignores the [AllowAnonymous] attribute.
Looking at the stack trace is seems that the ExtensionlessUrlHandler-Integrated-4.0 triggers the AuthorizationManager code.
I'm feel like it's either a configuration problem with my web.config (See below) or I need some additional logic in my AuthorizationManager not to perform the check at that time.
My completeness here is the Controller snippet:
[AllowAnonymous]
public class HomeController : Controller
{
[AllowAnonymous]
public ActionResult Index()
{
ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";
return View();
}
The system.web section :
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authorization>
<!--<deny users="?" />-->
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<roleManager enabled="true" defaultProvider="simple">
<providers>
<clear />
<add name="simple" type="WebMatrix.WebData.SimpleRoleProvider,WebMatrix.WebData" />
</providers>
</roleManager>
<membership defaultProvider="simple">
<providers>
<clear />
<add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider,WebMatrix.WebData" />
</providers>
</membership>
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<httpModules>
<!--WIF 4.5 modules -->
<!--Not needed here for IIS >= 7 -->
<!--<add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>-->
</httpModules>
The system.webServer section :
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<modules runAllManagedModulesForAllRequests="false">
<remove name="RoleManager" />
<remove name="FormsAuthentication" />
<!--WIF 4.5 modules -->
<add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add name="ClaimsTransformationModule" type="HillIntl.MyLCM.Security.ClaimsTransformationHttpModule" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
The identity model section :
<!--WIF 4.5 s.im section-->
Upvotes: 2
Views: 6159
Answers (1)
Reputation: 18482
When you add the claims authZ module, it is indeed triggered on every request. You need a custom [Authorize] attribute for MVC4 to play nice with claims authorization.
Similar to this: http://leastprivilege.com/2012/06/22/authorization-in-asp-net-web-api/
Upvotes: 4
Related Questions
- AllowAnonymous not working with Custom AuthorizationAttribute
- Mvc AllowAnonymous not working
- Allowanonymous attribute does not work in asp.net mvc
- AllowAnonymous Attribute not working MVC 5
- AllowAnonymous attribute make Authorize ignored
- Set ClaimsAuthorizationManager in Code (MVC 5)
- ClaimsAuthenticationManager.Authenticate never gets called
- ClaimsAuthorizationManager issues
- ASP .Net MVC 4 Authorize and AllowAnonymous
- MVC's AllowAnonymousAttribute not showing up