Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allow Anonymous to call certain action in asp.net mvc 3

Tags:

asp.net-mvc

asp.net-mvc-3

I have an action named ForgetPassword. Every time an anonymous tries to retrieve the action he /she is redirected to the Login Page. Below are my implementations.

public ActionResult ForgotPassword(string UserName)
{
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");
}

And here is a portion of my web.config file

    <location path="">
        <system.web>
          <authorization>
            <deny users="?"/>
          </authorization>
        </system.web>    
      </location>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Scripts">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

  <location path="Images">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>    
  </location>

<authentication mode="Forms">
  <forms loginUrl="/Home/Login" timeout="5" slidingExpiration="false" />
</authentication>
like image 867
Redone Avatar asked Jul 10 '13 11:07

Redone

1 Answers

As you are denying everyone from application by using.

<authorization>
    <deny users="?"/>
</authorization>

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute()); //Added
}

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

If you are using ASP.NET MVC4, For action which require Anonymous access use AllowAnonymous attribute

[AllowAnonymous]
public ActionResult ForgotPassword() {
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");;   
}

As per Reference, You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

like image 180
Satpal Avatar answered Oct 31 '22 04:10

Satpal
Sign in to Comment

Related questions

Define ASP.NET MVC route with slashes
ASP.NET MVC 3: Multiple Html.RenderAction() Problem
Using Autofac to inject log4net into controller
ASP.NET MVC 3 controller action for partial view
How do I Redirect to another Action/Controller in MVC3 from a VOID method?
MVC 3 - display value from dictionary in view
MVC Pass ViewBag to Controller
Append to routeValues in HtmlHelper extension method
Recommendations for creating a new website with "application"-like features in .NET [closed]
ASP.Net MVC3: Place .js files near View instead of Scripts folder
ASP MVC 3 RequireHttps attribute change all links to https
Set dropdown item selected MVC
How to unit test ASP.NET MVC Controller without Using Repository Pattern
ASP.Net MVC: Localized texts with new line?
Filters of GlobalFilterCollection run before Filters of ControllerInstanceFilterProvider
@Html.ActionLink in ASP.NET MVC 3
How do I use constraints in ASP.net MVC 4 RouteConfig.cs?
debugger does not stop on error
Posting text/plain as a complex object in WebAPI with CORS
Persian Calender in MVC , Asp.net

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!