Reputation: 569
Is it possible to allow anonymous access to some pages in windows authentication?
I am trying to implement windows authentication in Asp.net core 2.0. here i have done windows authentication which very easy by only selecting windows authentication option while creating the solution, but here i want to make some pages publicly available and for this i tried something like below code which is not working.
[Authorize(Roles = "Administrator")]
public IActionResult Index()
{
return View();
}
[AllowAnonymous]
public IActionResult About()
{
ViewData["Message"] = "Your application description page.";
return View();
}
so is it possible to make some pages publically accessible in windows authentication?
Upvotes: 4
Views: 3683
Answers (1)
Reputation: 23108
Yes, it is possible. This is how I managed to do it in ASP.NET Core 2.0.x (not sure if it works in ASP.NET Core 1.x).
1. Create a middleware that allows to discriminate between controllers that use Windows authentication and those which do not
/// <summary>
/// a middleware that allows that some requests to bypass Windows authentication
/// </summary>
public class NtlmAndAnonymousSetupMiddleware
{
#region Variables
private readonly RequestDelegate _next;
//TODO: maybe this can be improved to get rid of these magic strings
private List<string> AllowedControllers = new List<string>
{
"/Anonymous",
"/swagger"
};
#endregion
/// <summary>
///
/// </summary>
/// <param name="next"></param>
public NtlmAndAnonymousSetupMiddleware(RequestDelegate next)
{
this._next = next;
}
/// <summary>
///
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public async Task Invoke(HttpContext context)
{
// if requests target anonymous controller or there is a CORS related OPTIONS request
// => let it be and challenge only for other request methods (GET, POST etc.)
if (context.User.Identity.IsAuthenticated ||
context.Request.Method == "OPTIONS" ||
AllowedControllers.Any(c =>
{
string path = context.Request.Path.ToString();
return path.StartsWith(c, StringComparison.InvariantCulture);
}))
{
await _next(context);
return;
}
await context.ChallengeAsync("Windows");
}
}
A special case is when receiving OPTIONS requests (CORS related) that must not reach the Windows authentication challenge.
2. Register the middleware in Startup.cs
/// <summary>
/// allow anonymous requests (that are handled by application afterwards)
/// </summary>
/// <param name="app"></param>
protected virtual void AllowAnonymous(IApplicationBuilder app)
{
app.UseMiddleware<NtlmAndAnonymousSetupMiddleware>();
}
public void Configure(IApplicationBuilder app)
{
AllowAnonymous(app);
// ...
}
3. Allow anonymous authentication in IIS
Of course, the Web applicatio should be configured to also allow Anonymous authentication (besides Windows authentication)
Note: referring to web.config, I do not remember if this was required in ASP.NET Core 1.x, but I always use it when hosting in IIS:
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\TheApp.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" />
</system.webServer>
</configuration>
Upvotes: 2
Related Questions
- How to deny anonymous users in asp.net core razor pages?
- Allow anonymous authentication for a single aspx page?
- Windows and Anonymous Authentication in .Net Core 2.0
- How to allow an anonymous user access to some given page in MVC?
- Allow Anonymous if not Forms Based Authenticated
- ASP.NET Web Forms Authorization allow access for anonymous user to specific pages
- How to authorize only Anonymous to log in (ASP.NET 5)
- How do I allow anonymous access to my mvc3 app using Windows Authentication
- exclude a page from windows authentication in asp.net
- deny anonymous for all pages except the "~/" path in asp.net