Can you enable [Authorize] for controller but disable it for a single action?
Solution 1
I don't think you can do this with the standard Authorize attribute, but you could derive your own attribute from AuthorizeAttribute that takes a list of actions to allow and allows access to just those actions. You can look at the source for the AuthorizeAttribute at www.codeplex.com for ideas on how to do this. If you did, it might look like:
[AdminAuthorize (Roles = "Administrator", Exempt = "Login, Logout") ]
public class AdminController : Controller
{
public ActionResult Login()
{
return View();
}
public ActionResult Login()
{
return View();
}
... other, restricted actions ...
}
EDIT: FYI, I eventually ran across a need to do something similar on my own and I went a different direction. I created a default authorization filter provider and apply a global authorize filter. The authorization filter provider uses reflection to check if an action or controller has a specific authorize attribute applied and, if so, defers to it. Otherwise, it applies a default authorization filter. This is coupled with a PublicAttribute derived from AuthorizeAttribute that allows public access. Now, I get default secured access, but can grant public access via [Public]
applied to an action or controller. More specific authorization can also be applied as necessary. See my blog at http://farm-fresh-code.blogspot.com/2011/04/default-authorization-filter-provider.html
Solution 2
You can decorate your controller with [Authorize] and then you can just decorate the method that you want to exempt with [AllowAnonymous]
Solution 3
You could override the OnAuthorization method of the controller
protected override void OnAuthorization(AuthorizationContext filterContext)
{
if ((string)(filterContext.RouteData.Values["action"]) == "Login")
{
filterContext.Cancel = true;
filterContext.Result = Login();
}
}
This works but it is a hack.
Full class code used for testing:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;
namespace MvcApplication2.Controllers
{
[HandleError]
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
ViewData["Title"] = "Home Page";
ViewData["Message"] = "Welcome to ASP.NET MVC!";
return View();
}
public ActionResult About()
{
ViewData["Title"] = "About Page";
return View();
}
protected override void OnAuthorization(AuthorizationContext filterContext)
{
if ((string)(filterContext.RouteData.Values["action"]) == "Index")
{
filterContext.Cancel = true;
filterContext.Result = Index();
}
}
}
}
Solution 4
May be it's not actual, but I wrote my custom attribute:
public class SelectableAuthorizeAttribute : AuthorizeAttribute
{
public SelectableAuthorizeAttribute(params Type[] typesToExclude)
{
_typesToExlude = typesToExclude;
}
private readonly Type[] _typesToExlude;
public override void OnAuthorization(AuthorizationContext filterContext)
{
bool skipAuthorization = _typesToExlude.Any(type => filterContext.ActionDescriptor.ControllerDescriptor.ControllerType == type);
if (!skipAuthorization)
{
base.OnAuthorization(filterContext);
}
}
}
And then registered it in my global filetrs:
filters.Add(new SelectableAuthorizeAttribute(typeof(MyController)));
Hope that it will be useful for someone
Related videos on Youtube
Todd Smith
Updated on April 16, 2022Comments
-
Todd Smith about 2 years
I would like to use
[Authorize]
for every action in my admin controller except theLogin
action.[Authorize (Roles = "Administrator")] public class AdminController : Controller { // what can I place here to disable authorize? public ActionResult Login() { return View(); } }
-
Todd Smith over 15 yearsLooks like you're correct according to codeplex.com/aspnet/SourceControl/changeset/view/17272 I'm guessing the attribute gets applied at the controller level and never gives the action an attempt to evaluate it.
-
Todd Smith over 15 yearsHmm apparently you can't link directly to the source file on codeplex.
-
Todd Smith over 15 yearsDoes this get called before or after the [Authorize] attribute?
-
Todd Smith over 15 yearsIt looks like the [Authoirze] attribute is evaluated first and never gets to the OnAuthoirization method.
-
MrJavaGuy over 15 yearsGets called every time for me.
-
MrJavaGuy over 15 yearsLooking again at your question, you should be able to use the line fliterContext.Result = View("Login"); as well
-
Todd Smith over 15 yearsOnAuthorization is getting called except when I have a [Authorize] attribute on the controller itself.
-
MrJavaGuy over 15 yearsAre you using the beta of the MVC or one of the previews? I have the [Authorize] attribute on the controller as well.
-
Todd Smith over 15 yearsI'm using the beta. Perhaps the difference is the roles [Authorize (Roles = "Administrator")]
-
MrJavaGuy over 15 yearsglad to know I am not crazy :)
-
Todd Smith over 15 yearsThere is one catch with this approach, if you have two versions of your login, one for get and one for post and your methods are decorated with [AcceptVerbs(HttpVerbs.Get)] and [AcceptVerbs(HttpVerbs.Post)] then the OnAuthorization method gets a bit more complicated.
-
MrJavaGuy over 15 yearsonly a little, use filterContext.HttpContext.Request.HttpMethod for the verb
-
mipe34 about 11 yearsNote, that
Cancel
property ofAuthorizationContext
has been removed since RC1. stackoverflow.com/questions/505653/… -
Martin Hansen Lennox over 10 yearsIsn't this the correct answer? Or perhaps this was not the case in 2008 when the question was asked...
-
Ben Pretorius almost 3 yearsWhich framework are you having trouble with?