Menu
I have an MVC4 Web application which uses Windows Authentication, that is in web.config I have<authentication mode="Windows" />
And that works fine and everything is ok.
However now I need a controller (an Web API controller in fact) that should be accessed anonymously from a third party component. The problem is that every time I want to invoke this method it requests user credentials.
I tried putting AllowAnonymous attribute to controller and methods but it was not successful.
[AllowAnonymous]
public bool Get(string Called, string Calling, string CallID, int direction)
I checked on both IIS Express and IIS 8 with Anonymous authentication and Windows authentication enabled.
It seems that windows authentication precedes any other authentication and cannot be overridden.
Is there a way to accomplish this?
384
Enabling Windows Authentication First, while developing an MVC application, you use the ASP.NET Development Web Server included with Visual Studio. By default, the ASP.NET Development Web Server executes all pages in the context of the current Windows account (whatever account you used to log into Windows).
In ASP.NET MVC, by default, all the action methods are accessible to both anonymous and authenticated users. But, if you want the action methods to be available only for authenticated and authorized users, then you need to use the AuthorizationFilter in MVC.
In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them - all other actions will be available to anonymous users.
Add this to your Web.config. Here, my controller is named "WebhookController".
<location path="Webhook"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> See this KB article for more info.
Edit - As Erik mentioned below, in MVC applications you should not use web.config <authorization> tags for security. Instead, use [Authorize] attributes. Doing so will allow your [AllowAnonymous] attributes to work correctly. You can read more about this here.
128
The accepted answer seems to be out of date, so...
In your web.config, remove these lines:
<authorization> <deny users="?" /> </authorization> In the solution explorer, click your project, then click f4 (or open the properties explorer). Enable Anonymous Authentication.
Now you're free to use the Authorize and AllowAnonymous Attributes. They're pretty straightforward, Authorize means the user needs to be authorized in order to access the action or controller, AllowAnonymous means the opposite. If an unauthorized user attempts to access a controller or action with the Authorize attribute, they'll be redirected to a login page. If you put Authorize on a controller it applies to all the controller's actions, except ones with AllowAnonymous.
28
web.config should not be touched as indicated here.
In order to achieve desired result AllowAnonymous and [Authorize] (and maybe some custom authorization attribute, if needed) should be used.
Steps to be performed:
Ensure IIS has both Anonymous Authentication and Windows Authentication configured for the web application / web site
All controllers should use [Authorize] attribute. This can be easily achieved if all inherit from a common controller class (e.g. BaseController / BaseApiController). E.g.:
[Authorize]
public class BaseController : System.Web.Mvc.Controller
{
}
[Authorize]
public class BaseApiController : System.Web.Http.ApiController
{
}
Add [AllowAnonymous] attribute to all actions that are supposed to be anonymous. E.g.:
[RoutePrefix("Api/Anonymous")]
[Authorize]
public class AnonymousController : ApiController
{
[HttpGet]
[Route("GetServiceStatus")]
[AllowAnonymous]
public string GetServiceStatus()
{
return "OK";
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
