CODEWITHSUNDEEP
asp.net-mvcasp.net-mvc-3
Redone
Redone

Reputation: 1313

Allow Anonymous to call certain action in asp.net mvc 3

I have an action named ForgetPassword. Every time an anonymous tries to retrieve the action he /she is redirected to the Login Page. Below are my implementations.

public ActionResult ForgotPassword(string UserName)
{
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");
}

And here is a portion of my web.config file

    <location path="">
        <system.web>
          <authorization>
            <deny users="?"/>
          </authorization>
        </system.web>    
      </location>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Scripts">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Images">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

<authentication mode="Forms">
  <forms loginUrl="/Home/Login" timeout="5" slidingExpiration="false" />
</authentication>

Upvotes: 7

Views: 12865

Answers (4)

W&#233;dney Yuri
W&#233;dney Yuri

Reputation: 1277

From this link: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-global-authentication-and-allow-anonymous

If you are using MVC 3 you can't do:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute());
}

Why it's global and AllowAnonymous attribute doesn't work on MVC 3.

So you need build your own filter. It's working for me (MVC 3), you can check the complete solution here.

using System.Web.Mvc;
using MvcGlobalAuthorize.Controllers;

namespace MvcGlobalAuthorize.Filters {
    public sealed class LogonAuthorize : AuthorizeAttribute {
        public override void OnAuthorization(AuthorizationContext filterContext)         {
            bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)
            || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true);
            if (!skipAuthorization) {
                base.OnAuthorization(filterContext);
            }
        }
    }
}

Upvotes: 3

Satpal
Satpal

Reputation: 133423

As you are denying everyone from application by using.

<authorization>
    <deny users="?"/>
</authorization>

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute()); //Added
}

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

If you are using ASP.NET MVC4, For action which require Anonymous access use AllowAnonymous attribute

[AllowAnonymous]
public ActionResult ForgotPassword() {
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");;   
}

As per Reference, You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

Upvotes: 9

Tamim Al Manaseer
Tamim Al Manaseer

Reputation: 3724

I assume you're setting an "Authorize" attribute on your controller, which will force login for every controller action. I recommend to remove that attribute from the controller, and set it to each action one by one. or upgrade to MVC 4 and use the AllowAnonymous attribute.

Upvotes: 1

Oleksii Aza
Oleksii Aza

Reputation: 5398

If you are using ASP.NET MVC4 you can try to put allowanonymous attribute on your action like this: 

[AllowAnonymous]
public ActionResult ForgotPassword(string UserName)
{
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");
}

For more information take a look at Jon Galloway's article: Global authentication and Allow Anonymous

Upvotes: 0

Related Questions