Allow Anonymous to call certain action in asp.net mvc 3

12,048

Solution 1

As you are denying everyone from application by using.

<authorization>
    <deny users="?"/>
</authorization>

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute()); //Added
}

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

If you are using ASP.NET MVC4, For action which require Anonymous access use AllowAnonymous attribute

[AllowAnonymous]
public ActionResult ForgotPassword() {
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");;   
}

As per Reference, You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

Solution 2

From this link: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-global-authentication-and-allow-anonymous

If you are using MVC 3 you can't do:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute());
}

Why it's global and AllowAnonymous attribute doesn't work on MVC 3.

So you need build your own filter. It's working for me (MVC 3), you can check the complete solution here.

using System.Web.Mvc;
using MvcGlobalAuthorize.Controllers;

namespace MvcGlobalAuthorize.Filters {
    public sealed class LogonAuthorize : AuthorizeAttribute {
        public override void OnAuthorization(AuthorizationContext filterContext)         {
            bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)
            || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true);
            if (!skipAuthorization) {
                base.OnAuthorization(filterContext);
            }
        }
    }
}

Solution 3

I assume you're setting an "Authorize" attribute on your controller, which will force login for every controller action. I recommend to remove that attribute from the controller, and set it to each action one by one. or upgrade to MVC 4 and use the AllowAnonymous attribute.

12,048

Redone

Updated on September 23, 2022

Comments

Redone almost 2 years

I have an action named ForgetPassword. Every time an anonymous tries to retrieve the action he /she is redirected to the Login Page. Below are my implementations.

public ActionResult ForgotPassword(string UserName)
{
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");
}

And here is a portion of my web.config file

    <location path="">
        <system.web>
          <authorization>
            <deny users="?"/>
          </authorization>
        </system.web>    
      </location>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Scripts">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Images">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

<authentication mode="Forms">
  <forms loginUrl="/Home/Login" timeout="5" slidingExpiration="false" />
</authentication>