Menu
I have enabled form authentication in my ASP.NET MVC web application. I want to allow anonymous users access only to some specific pages, including Register.cshtml for instance. I was able to allow access to my CSS-file from my root web.config by doing this.
<location path="Content/Site.css"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> Now I want to allow anonymous access to other pages, like Home and Register. Do any body know how to achieve this?
520
One of the new features in ASP.NET MVC 4 is the AllowAnonymous Attribute that helps you secure an entire ASP.NET MVC 4 Website or Controller while providing a convenient means of allowing anonymous users access to certain controller actions, like the login and register Actions.
To restrict the public action method in MVC, we can use the “NonAction” attribute. The “NonAction” attribute exists in the “System. Web.
But, you can restrict or prevent access by just adding a one attribute above to that controller action method named as “[ChildActionOnly]”.
The AllowAnonymous attribute in MVC is used to skip the authorization which is enforced by Authorization Filter in MVC. Now, run the application and navigate to /Home/NonSecured and you will see that it displays the page as expected and when you navigate to /Home/Secured, then it will redirect you to the Login page.
In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them - all other actions will be available to anonymous users.
In other words, a black-list approach, where actions that require authorization are black-listed for anonymous users using [Authorize] - all actions (not dressed with the attribute) will be available.
Update:
With MVC4 a new attribute has been introduced, namely the [AllowAnonymous] attribute. Together with the [Authorize] attribute, you can now take a white-list approach instead. The white-list approach is accomplished by dressing the entire controller with the [Authorize] attribute, to force authorization for all actions within that controller. You can then dress specific actions, that shouldn't require authorization, with the [AllowAnonymous] attribute, and thereby white-listing only those actions. With this approach, you can be confident that you don't, by accident, forget to dress an action with the [Authorize], leaving it available to anyone, even though it shouldn't.
Your code could then be something like this:
[Authorize] public class UserController : Controller { [AllowAnonymous] public ActionResult LogIn () { // This action can be accessed by unauthorized users } public ActionResult UserDetails () { // This action can NOT be accessed by unauthorized users } } In the Web.config i had the below authorization
<authorization> <deny users ="?"/> </authorization> this causes the
[AllowAnonymous] not work correctly, i had to remove that authorization of my Web.config, and in all the controllers put the line
[Authorize] before the declaration of the class, to work correctly.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
