CODEWITHSUNDEEP
asp.net-mvc-3authenticationauthorization
Adriano Zawadzki
Adriano Zawadzki

Reputation: 174

Apply AuthorizeAttribute to a controller class and to action simultaneously

Is There one way to make a [Authorize] attibute be ignored in one action in a controller class that has a Authorize attribute?

        [Authorize]
        public class MyController : Controller
        {
           [Authorize(Users="?")]//I tried to do that and with "*", but unsuccessfuly,
           public ActionResult PublicMethod()
           {
           //some code
           }

           public ActionResult PrivateMethod()
           {
           //some code
           }
        }

Just the PrivateMethod() should have authentication required, but it has been required too.

PS: I wouldn't like to make my custom authorize filter.

[]'s

Upvotes: 10

Views: 15369

Answers (5)

lidlbobbytables
lidlbobbytables

Reputation: 490

Just for future reference This is now available to be done by the the [AllowAnonymous] attribute in ASP.NET MVC 4.

More Info

Upvotes: 0

imtiaj ahammad
imtiaj ahammad

Reputation: 31

    public class MyController : Controller
    {
       [Authorize] //it will only work for the following action
       public ActionResult PublicMethod()
       {
       //some code
       }

       public ActionResult PrivateMethod()  //[Authorize] will not work for this action
       {
       //some code
       }
    }

Upvotes: 0

Omar
Omar

Reputation: 1491

A solution is in this article: Securing your ASP.NET MVC 3 Application

The article talks about a white list approach where you decorate actions with a AllowAnonymous custom attribute. It requires that you extend AuthorizeAttribute and the OnAuthorization method to skip authorization checks of AllowAnonymous -actions. (The approach is credited to Levi, a security expert on the MVC team.)

Upvotes: 3

Erfan
Erfan

Reputation: 1192

You can use [AllowAnonymous]

 [Authorize]
 public class MyController : Controller
 {
     [AllowAnonymous]
     public ActionResult PublicMethod()
     {
           //some code
     }

     public ActionResult PrivateMethod()
     {
           //some code
     }
  }

Upvotes: 16

vladimir
vladimir

Reputation: 15208

By default it's impossible - if you set [Authorize] for controller then only authenticated user can access to action.

or

You can try custom decisions: stackoverflow.

Upvotes: 4

Related Questions