Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC Forms authentication and unauthenticated controller actions

I have a ASP.NET MVC site that is locked down using Forms Authentication. The web.config has

<authentication mode="Forms">
    <forms defaultUrl="~/Account/LogOn" loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>
<authorization>
    <deny users="?"/>
</authorization>

None of my pages other than Account/LogOn can be viewed unless the user is authenticated.

Now I am trying to add PayPal IPN to my site and in order to do that I need to have two pages that handle PayPal's payment confirmation and thank you page. These two pages need to be available for anonymous users.

I would like these pages to be controller actions off my Account controller. Is there any way I can apply an attribute to specific action methods that make them available to anonymous users? I found a several posts here that attempt to do that but there was most people wanted the opposite scenario.

Basically I want may AccountController class to have no authorization for most of the methods except for a few. Right now it looks like only the LogOn method is available to anonymous users.

like image 658
Mike Weerasinghe Avatar asked Nov 29 '09 20:11

Mike Weerasinghe


People also ask

How to implement forms authentication in MVC application?

I will discuss MVC application security in upcoming articles. Forms Authentication is available in System.Web.Security namespace. In order to implement the Forms Authentication in MVC application, we need to do the following three things. We need to use FormsAuthentication.SetAuthCookie for login

How to create a security demo MVC application with no authentication?

Create a new Empty ASP.NET MVC application with the name SecurityDemoMVC. Please select the authentication type as no authentication as shown in the below image. Once you click on the OK button then it will create the project. Here we select the Empty MVC Project template as we are going to do everything from scratch.

How do I use ASP NET authentication in Visual Studio?

Visual Studio .NET Open Visual Studio .NET. Create a new ASP.NET Web application, and specify the name and location. This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication.

How do I configure the forms-based authentication configuration section?

This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication. In Solution Explorer, open the Web.config file. Change the authentication mode to Forms. Insert the <Forms> tag, and fill the appropriate attributes.


2 Answers

Yes you can. In your AccountController there's an [Authorize]-attribute either on class-level (to make the whole controller restricted) or on specific methods.

To make specific actions restricted you simply use the Authorize-attribute on the methods that handle these actions, and leave the controller-class unrestricted.

Here are a few examples... hope it helps

To require users to login, use:

[Authorize]
public class SomeController : Controller

// Or
[Authorize]
public ActionResult SomeAction()

To restrict access for specific roles, use:

[Authorize(Roles = "Admin, User")]
public class SomeController : Controller

// Or
[Authorize(Roles = "Admin, User")]
public ActionResult SomeAction()

And to restrict access for specific users, use:

[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller

// Or
[Authorize(Users = "Charles, Linus")]
public ActionResult SomeAction()

As you can see, you can either use the attribute at class-level or at method-level. Your choice!

like image 157
Mickel Avatar answered Oct 04 '22 06:10

Mickel


I don't think there is an "Unauthorize" attribute that can be applied to actions and if you don't want to place "[Authorize]" on all but two actions in a controller try the following:

Here are two methods I can think of:

1- Location attribute in Web.config (Not sure if this will work with MVC routing etc.)

After your

<system.web> stuff </system.web>

in web.config file, add the following:

  <location path="Account/ActionOne">
     <system.web>
           <authorization>
              <allow users ="*" />
          </authorization>
      </system.web>
  </location>

Where Account/ActionOne is the name of the action method you want to give anonymous access to. For the second Action, copy the above code and paste it right after it and change the name of the Action.

I'm not sure if this will work because of MVC routing etc, but give it a try.

2- Base Controller

If the previous solution didn't work, your best bet would be to create a base controller that is decorated with the Authorize attribute:

[Authorize]
public class AuthorizeControllerBase : Controller {}

Then have all your controllers inherit from it:

public class AccountController : AuthorizeControllerBase
{
      // your actions etc.
}

This will make any controller that inherits from AuthorizeControllerBase require authorization/logging in to invoke any methods.

Then you would need to remove from your web.config

like image 27
Omar Avatar answered Oct 04 '22 06:10

Omar