Reputation: 6752
Why is AllowAnonymous not working while deployed to Azure Websites?
I have a MVC4 web app with the following controller
[Authorize]
public class AccountController : BaseController
{
[AllowAnonymous]
public ActionResult SignInRegister(LoginModel loginModel, string returnUrl)
{
//some implementation
}
//other secured actions
}
This is working as expected when running locally, but as soon as I deploy it to the Free Azure Website I get a 401 error code with the message: You do not have permission to view this directory or page.
Removing the [Authorize] attribute and redeploying works as expected, adding it again and redeploying brings back the problem.
I even tried the fully qualified class names: System.Web.Mvc.Authorize and System.Web.Mvc.AllowAnonymous with the same results.
The app is using .NET 4.5 and the Azure Website is also configured to use 4.5.
UPDATE:
The BaseController has an action that returns the Header as partial view which was not decorated with [AllowAnonymous]. Locally it resulted in the page being displayed without the header, but on Azure Websites the response was cut off and only returned with the error message mentioned above. I had not realized the header was missing until I purposely looked into it.
Now the question begs to be asked: why is Azure Websites overriding the response?
Upvotes: 7
Views: 5681
Answers (4)
Reputation: 2003
It could be that it is working, but there is an error loading the page (e.g. one of the DI dependencies failed) and it is redirecting to your error page and your error page which requires auth. You would need to [AllowAnonymous] your error page.
This was why it was happening to me only when deployed - my DI was working locally.
Upvotes: 0
Reputation: 801
Check your web.config if you have
<authorization>
<deny users="?" />
</authorization>
its override [AllowAnonymous]
Add to web.config section:
<location path="YourController/AnonymousMethod">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
to allow anonymous access for AnonymousMethod
Upvotes: 1
Reputation: 6752
The BaseController has an action that returns the Header as partial view which was not decorated with [AllowAnonymous]. Locally it resulted in the page being displayed without the header, but on Azure Websites the response was cut off and only returned with the error message mentioned above. I had not realized the header was missing until I purposely looked into it.
Now the question begs to be asked: why is Azure Websites overriding the response?
Upvotes: 4
Reputation: 3091
I had the exact same problem and like Jonas' update says, you need to look out for Actions that return Partial Views AND have the [Authorize] attribute.
What you need to do is to remove the [Authorize] attribute and then if your action needs the user to be authenticated to render properly, have your code handle the unauthorized case.
Example is if your page displays the currently logged in user's name via a Partial. Have your action display an empty string or something else if the currently logged in user is not available.
Upvotes: 2
Related Questions
- ASP.NET Identity: Authorize attribute with roles doesn't work on Azure
- AllowAnonymous is not working with azure ad authentication
- Mvc AllowAnonymous not working
- Allowanonymous attribute does not work in asp.net mvc
- AllowAnonymous Attribute not working MVC 5
- AllowAnonymous attribute make Authorize ignored
- AllowAnonymous not Working MVC5
- ASP .Net MVC 4 Authorize and AllowAnonymous
- Enable windows azure authentication returns null name
- AllowAnonymous attribute being ignored in MVC4 with ClaimsAuthorizationManager