Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to allow an anonymous user access to some given page in MVC?

I have enabled form authentication in my ASP.NET MVC web application. I want to allow anonymous users access only to some specific pages, including Register.cshtml for instance. I was able to allow access to my CSS-file from my root web.config by doing this.

<location path="Content/Site.css">     <system.web>         <authorization>             <allow users="*"/>         </authorization>     </system.web> </location> 

Now I want to allow anonymous access to other pages, like Home and Register. Do any body know how to achieve this?

like image 520
Johnson Duru Avatar asked Mar 15 '12 20:03

Johnson Duru


People also ask

What attribute will ensure anonymous users can access a specific controller action?

One of the new features in ASP.NET MVC 4 is the AllowAnonymous Attribute that helps you secure an entire ASP.NET MVC 4 Website or Controller while providing a convenient means of allowing anonymous users access to certain controller actions, like the login and register Actions.

How do you restrict access to action in MVC?

To restrict the public action method in MVC, we can use the “NonAction” attribute. The “NonAction” attribute exists in the “System. Web.

Which method is used to prevent access of particular pages from MVC?

But, you can restrict or prevent access by just adding a one attribute above to that controller action method named as “[ChildActionOnly]”.

What is the use of AllowAnonymous in MVC?

The AllowAnonymous attribute in MVC is used to skip the authorization which is enforced by Authorization Filter in MVC. Now, run the application and navigate to /Home/NonSecured and you will see that it displays the page as expected and when you navigate to /Home/Secured, then it will redirect you to the Login page.


2 Answers

In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them - all other actions will be available to anonymous users.

In other words, a black-list approach, where actions that require authorization are black-listed for anonymous users using [Authorize] - all actions (not dressed with the attribute) will be available.

Update:

With MVC4 a new attribute has been introduced, namely the [AllowAnonymous] attribute. Together with the [Authorize] attribute, you can now take a white-list approach instead. The white-list approach is accomplished by dressing the entire controller with the [Authorize] attribute, to force authorization for all actions within that controller. You can then dress specific actions, that shouldn't require authorization, with the [AllowAnonymous] attribute, and thereby white-listing only those actions. With this approach, you can be confident that you don't, by accident, forget to dress an action with the [Authorize], leaving it available to anyone, even though it shouldn't.

Your code could then be something like this:

[Authorize] public class UserController : Controller {     [AllowAnonymous]    public ActionResult LogIn () {       // This action can be accessed by unauthorized users    }     public ActionResult UserDetails () {       // This action can NOT be accessed by unauthorized users    } } 
like image 125
Christofer Eliasson Avatar answered Sep 20 '22 20:09

Christofer Eliasson


In the Web.config i had the below authorization

<authorization>     <deny users ="?"/> </authorization> 

this causes the

[AllowAnonymous] 

not work correctly, i had to remove that authorization of my Web.config, and in all the controllers put the line

[Authorize] 

before the declaration of the class, to work correctly.

like image 29
Josue Morales Avatar answered Sep 19 '22 20:09

Josue Morales