MVC3: Can one controller require Windows Authentication while a second allows anonymous?

Question

I have one controller that renders pages in an internal web application that needs to be windows authenticated. There exists a second controller used for JSON-based queries into the system that do NOT need to be Windows Authenticated? Is that possible? It appears I've only been able to do one or the other at the moment.

Any suggestions?

Answer 1

We have a few apps that need to do this exact thing. Often, our apps are locked down in the web.config:

<authentication mode="Windows"/>
<authorization>
  <allow roles="DOMAIN\GroupNameHere"/>
  <deny users="?"/>
</authorization>
<location path="ApiControllerName">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

However, you still have to turn off Windows authentication for that API Controller. You can do this by editing the applicationHost.config file on the IIS server and adding:

<location path="Default Web Site/ApplicationName/ApiControllerName">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

This PowerShell script will do it for you:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")

$applicationLocationPath = "Default Web Site/ApplicationName/ApiControllerName"

$oIIS = new-object Microsoft.Web.Administration.ServerManager
$oGlobalConfig = $oIIS.GetApplicationHostConfiguration()

$oSection = $oGlobalConfig.GetSection("system.webServer/security/authentication/anonymousAuthentication", $applicationLocationPath)
$oSection.SetAttributeValue("enabled", "True")
$oSection = $oGlobalConfig.GetSection("system.webServer/security/authentication/windowsAuthentication", $applicationLocationPath)
$oSection.SetAttributeValue("enabled", "False")

$oIIS.CommitChanges()

Answer 2

Yes. Based on what authentication you choose, you decorate your controller's action method with Authorize

This article presents exactly what you are looking for: http://www.asp.net/mvc/tutorials/authenticating-users-with-windows-authentication-cs

From the article "For example, the Home controller in Listing 1 exposes three actions named Index(), CompanySecrets(), and StephenSecrets(). Anyone can invoke the Index() action. However, only members of the Windows local Managers group can invoke the CompanySecrets() action. Finally, only the Windows domain user named Stephen (in the Redmond domain) can invoke the StephenSecrets() action."