Login/Register
Forms Authentication & authorization MVC 4
Asked Answered
Solved c#asp.net-mvc-4form-authentication
C

5

7

I'm trying to create an anonymous controller in order to acheive form authentication. I configured my IIS 7 with anonymous and form authentication enabled and set my web.config to deny anonymous users. On the login controller I put the [AllowAnonymous] decoration on my controller (and my actions).

The only action I can get on this set of configuration is the login action (which returns the "login" view), and I'm guessing that the MVC allows me to get this action because I set it as the login URL on my web.config.

Here is my web config configuration:

     <authentication mode="Forms">
        <forms loginUrl="~/Login/Login" timeout="2880" />
     </authentication>

All the other actions are redirected to the login action. On this set of configuration I can't achieve other important actions like restore password, register, etc.

What am I doing wrong?

Concertgoer answered 5/5, 2013 at 8:58 Comment(2)
You can't deny globally - pasword restoring or registering have to be accessed anonymously.Ineffaceable
So what do I need to change? If I'm allowing anonymous access, then all the site is accessible and MVC doesn't redirect the unauthenticated user to the login action.Concertgoer
B
15

Use global authentification filter with custom behaviour instead of authorization configuration in web.config (best for MVC)

add global filter

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new AuthorizeAttribute());
    }
}

Then, [AllowAnonymous] will works, and all other controllers and actions requires Authorization.

Bradleybradly answered 5/5, 2013 at 9:12 Comment(2)
Can you provide an example?Concertgoer
Thank you! worth to mention: after adding the autorized filter, you'll need (as i did) to allow anonymous access to your siteConcertgoer
K
12

You can also register Authorize filter in RegisterGlobalFilters method: 

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute());
}

And then use the AllowAnonymous attribute on action methods that require anonymous access:

[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult RecoverPassword()
    {
     ...
    }
}
Kizer answered 5/5, 2013 at 9:14 Comment(2)
Thanks, hVostt was 2 minutes before youConcertgoer
No problem. Glad you got your answer :)Kizer
I
1

There are two possible approaches.

First - you can deny anonymous requests globally with the Authorize attribute and mark these few which do not need authorization with AllowAnonymous attribute (which is new to MVC4).

Second - do not deny globally but rather secure your selected controllers/actions with Authorize attribute.

Ineffaceable answered 5/5, 2013 at 9:13 Comment(2)
This is not accurate, regarding to your first approach: if you deny anonymous requests and not adding the authorize filter, you'll not be able to get to any action besides the login action and the attribute AllowAnonymous will not be taken into consideration by the MVCConcertgoer
I wasn't clear enough, the denial should of course be done with Authorize. I hope the edited version is clear. Thanks.Ineffaceable
B
0

Did you try to allow the anonymous authorization for the URL's like in the sample below

<location path="Login/Login">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

Similar to this you should be setting for the ResetPassword / Restore password / Register etc...

Bornholm answered 5/5, 2013 at 9:10 Comment(1)
The decoration doesn't achieve the same behaviour?Concertgoer
A
0

I removed the following portion from web.config then it is started working for me.

<!--<authorization>
  <deny users="?" />
</authorization>-->
Arabic answered 3/5, 2018 at 7:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.