Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MVC 3 - FormsAuthentication - Can't give access to my Login action

Tags:

asp.net-mvc-3

razor

c#-4.0

I'm using MVC 3 and FormsAuthentication:

<authentication mode="Forms">
  <forms loginUrl="~/Account/" timeout="2880" />      
</authentication>

My Account/Index page displays a login page, then using Jquery, it does a post to Account/Login to authenticate the user. Here's my AccountController action which handles it:

[HttpPost]
[Authorize(Users = "*")]
public ActionResult Login(string userName, string password) {
    ...
}

And the Jquery which posts to it:

$.post("/account/login", {
                "userName": $("#userName").val(),
                "password": $("#password").val()
            }, function (data) {
...});

All the above works, but now I want to restrict general access to the site, so I added this to my root web.config:

<authorization>
  <deny users="?" />      
</authorization>

And in an attempt to allow access to the Account controller, I added this:

<location path="~/Account">
<system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
</system.web>
</location>

Here's my problem. I can view the login page (Account/Index), but I can't submit to Account/Login. When I watch what's going on through Fiddler, I get this text returned from the server when posting to that page:

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Account/?ReturnUrl=%2faccount%2flogin">here</a>.</h2>
</body></html>

It seems that when I add "~/Account" to the full authorized user list it isn't really working like it would in a non-mvc project. Is there a special way to do this in MVC 3?

like image 597
bugfixr Avatar asked Dec 28 '25 16:12

bugfixr

2 Answers

The path to a controller is typically not referenced as a relative path. You should just be able to say location="Account", e.g.

<location path="Account">

Can't be sure that's your issue as I can't test it right now, but it could be...

like image 88
Timbo Avatar answered Dec 30 '25 22:12

Timbo

Do not use the AuthorizeAttribute at all for the Login action. It makes no sense to require authorization for the authorization process itself.

To require authorization for all your Controllers you could create

[Authorize]
public class AuthorizeController : Controller 
{
}

and extend all your Controllers from this one except the AccountController.

like image 32
DanielB Avatar answered Dec 30 '25 20:12

DanielB
Sign in to Comment

Related questions

how to read data from json to View using jquery mvc
node id of jstree checkbox
how to make @Html.CheckBoxFor invisible?
ASP.NET MVC 3 - Client-Validation with money field

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!