CODEWITHSUNDEEP
asp.net-mvc-4forms-authentication
Shaul Behr
Shaul Behr

Reputation: 38003

How to make exceptions to forms authentication in ASP.NET MVC?

I am trying to create a "heartbeat" page on my ASP.NET MVC 4 system, so we can check on an automated basis that everything is working OK. All it's going to do is run a simple query on the DB and make sure no exception is thrown, in which case it'll return Json "success", otherwise it'll return the exception message.

The rest of the system is protected by Forms authentication:

<authentication mode="Forms">
  <forms name=".ADAuthCookie2" loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" />
</authentication>
...
<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

But obviously I don't want to force authentication for a heartbeat check. So I've created a HeartBeatController, and tagged both the controller and the Index() method with [AllowAnonymous] - but still, when I try to access the /HeartBeat url, I get redirected to the login page.

What am I missing?

Upvotes: 2

Views: 2031

Answers (2)

user1713059
user1713059

Reputation: 1507

Try adding a location with authorization override in your web.config like so:

<location path="HeartBeat">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178692(v=vs.100)

Upvotes: 0

Matt Millican
Matt Millican

Reputation: 4054

You'll have to remove the 

<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

as I believe the AllowAnonymous attribute won't override that.

UPDATE

You'll have to add an Authorize attribute to the controllers, or as the following article mentions, you can set it in GlobalFilters

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

Upvotes: 3

Related Questions