Web API anonymous service access with forms authentication

Question

I am trying to determine how to configure access to a Web API controller service under forms authentication. If I add authorization configuration to deny all anonymous users by adding the authorization element:

<authorization>
   <!-- Deny all anonymous users -->
   <deny users="?" />
</authorization>

Only the login page is accessible as expected. But I would also like access to a list returned from a controller. I added the [AllowAnonymous] attribute to a simple service that returns values used to populate a drop down menu. For example:

namespace WebAPI.Controllers
{
    public class RegisterController : ApiController
    {
        [AllowAnonymous]
        public List<ListElement> GetActivitiesList()
        {
            List<ListElement> li = new List<ListElement>();

            li.Add(new ListElement() { Id = 1, Text = "Item 1" });
            li.Add(new ListElement() { Id = 2, Text = "Item 2" });
            li.Add(new ListElement() { Id = 3, Text = "Item 3" });

            return li;

        }

    }
}

I added the controllers directory to the allowed list in the web.config:

<location path="Controllers">
   <system.web>
   <authorization>
      <allow users="*" />
   </authorization>
   </system.web>
</location>

If I browse my sample page to invoke the controller, forms authentication still denies access with a 302 redirect to the login page, even if I add the [AllowAnonymous] attribute. If I remove the authorization element "<deny users="?" />" for the entire site, I can control access using the [Authorize] and [AllowAnonymous] attributes.

The objective is to be able to use specific services on a few pages (like registration) for anonymous users, while the rest of site access is restricted to authenticated users. Accessing a service is not exactly the same as accessing a file, so my guess is that I have to write a special handler for this situation, but I am not sure as to how to go about it.

Answer 1

So first of all we don't know anything about the rest of the app - is it MVC or WebForms?

If you app is MVC, i totally agree with Brian that you should use [Authorize] and [AllowAnoynmous] on all your controllers.

If you can't do that - you can indeed "punch holes" into the rules - but you need to use the "real" URLs, like

..and yeah - be careful ;)

Answer 2

First off, don't use the old-school ASP.NET allow/deny mechanism to control access when you are using ASP.NET MVC. I don't think this is supported, and may instead create security holes in your site (source). The correct way to control access in ASP.NET MVC is to use the [Authorize] and [AllowAnonymous] attributes on your controller classes and/or methods as you alluded to in your question.

If you want to make it so that your whole application requires a login for every method except a couple, you can apply the [Authorize] attribute at the class level to all your controllers, and then apply the [AllowAnonymous] attribute at the method level for those methods that should not require authentication. There is also a way to write a FilterProvider, such that it will automatically apply the [Authorize] attribute programmatically to any controller that does not have such an attribute already applied. This is handy because it then you can't accidentally forget to apply the [Authorize] attribute. See this article for details on how to do that. Note that the [AllowAnonymous] attribute introduced in MVC4 performs the same function as the custom [Public] attribute the author describes in the article. See also this article which talks about securing an MVC application in general. Both articles are a little bit dated (2011), but the basic ideas are still sound.