Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I allow all users access to one route within a website with integrated auth?

Tags:

.net

asp.net-mvc

authorization

web-config

integrated-security

I have an ASP.Net MVC app using Integrated Security that I need to be able grant open access to a specific route. The route in question is ~/Agreements/Upload. I have tried a few things and nothing has worked thus far.

<configuration> 
  <location path="~/Agreements/Upload">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

In IIS under Directory Security > Authentication Methods I only have "Integrated Windows Authentication" selected. Now, this could be part of my problem (as even though IIS allows the above IIS doesn't). But if that's the case how do I configure it so that Integrated Security works but allows people who aren't authenticated to access the given route?

like image 656
vdh_ant Avatar asked Mar 31 '10 04:03

vdh_ant

People also ask

What does Authorize attribute do?

In MVC, the 'Authorize' attribute handles both authentication and authorization. In general, it works well, with the help of extension to handle AJAX calls elegantly, and to distinguish between unauthorized users and those who are not logged in.

Where do I add authorization in web config?

You can configure the <authorization> element at the server level in the ApplicationHost. config file, or at the site or application level in the appropriate Web. config file. You can set default authorization rules for the entire server by configuring authorization rules at the server level.

How do I set anonymous authentication in web config?

Scroll to the Security section in the Home pane, and then double-click Authentication. 4.In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.

1 Answers

In ASP.NET MVC you should not use the location element in the web.config. Whereas the web forms engine mapped to physical files on disk, the MVC engine using routing. This means that you could inadvertently allow access to a "protected controller" through a custom route by accident.

The recommended way of securing ASP.NET MVC applications is through the use of the Authorize attribute, as seen in the example below: 

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    { 
        return View();
    }
}

The controller action is what you want to protect and not the route. The ASP.NET MVC Security bod, Levi Broderick is rather vocal about this issue:

  1. Excluding an action from authorization in ASP.NET MVC 2
  2. Problem with Authorization with IIS and MVC.
like image 51
Rebecca Avatar answered Oct 04 '22 20:10

Rebecca
Sign in to Comment

Related questions

Where to start with Entity Framework [closed]
.NET WCF faults generating incorrect SOAP 1.1 faultcode values
Is there a way to override the empty constructor in a class generated by LINQtoSQL?
When creating a web control should you override OnLoad or implement Page_Load
XSLT Transform Efficiency
Can I force subclasses to override a method without making it abstract?
Where can I download the latest ngen.exe?
Applying Extension method to generic class with generic type
Does the Garbage Collector destroy temporarily unreferenced objects during async calls in .NET?
How do AssemblyInfo attributes map to Win32 VERSIONINFO?
How to receive event when network is connected and also when user logs in
Question about ambiguous calls in C#
Windows Services open source framework [closed]
F#: Converting a string into an array of bytes
log4net - any filter for logging only the Nth message?
I can't seem to understand this .NET assembly signing thing
Fluent NHibernate mapping
Is BigInteger immutable or not?
Is there a way to get a ValidationSummary to work with client-side validators?
System.Diaganostics.Process.Id Isn't the Same Process Id Shown in Task Manager. Why?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!