Why is AllowAnonymous not working while deployed to Azure Websites?

Asked 2/7, 2013 at 15:39 Answered 23/5 at 0:5

Solved asp.net-mvc asp.net-mvc-4 authorization

I have a MVC4 web app with the following controller

[Authorize]
public class AccountController : BaseController
{
  [AllowAnonymous]
  public ActionResult SignInRegister(LoginModel loginModel, string returnUrl)
  {
    //some implementation
  }
  //other secured actions
}

This is working as expected when running locally, but as soon as I deploy it to the Free Azure Website I get a 401 error code with the message: You do not have permission to view this directory or page.

Removing the [Authorize] attribute and redeploying works as expected, adding it again and redeploying brings back the problem.

I even tried the fully qualified class names: System.Web.Mvc.Authorize and System.Web.Mvc.AllowAnonymous with the same results.

The app is using .NET 4.5 and the Azure Website is also configured to use 4.5.

UPDATE: The BaseController has an action that returns the Header as partial view which was not decorated with [AllowAnonymous]. Locally it resulted in the page being displayed without the header, but on Azure Websites the response was cut off and only returned with the error message mentioned above. I had not realized the header was missing until I purposely looked into it.

Now the question begs to be asked: why is Azure Websites overriding the response?

Rufinaruford answered 2/7, 2013 at 15:39 Comment(1)

You should post your update as an answer. – Otherdirected 23/10, 2013 at 16:6

The BaseController has an action that returns the Header as partial view which was not decorated with [AllowAnonymous]. Locally it resulted in the page being displayed without the header, but on Azure Websites the response was cut off and only returned with the error message mentioned above. I had not realized the header was missing until I purposely looked into it.

Now the question begs to be asked: why is Azure Websites overriding the response?

Rufinaruford answered 7/8, 2015 at 15:19 Comment(1)

This helped me out. If you're going to be including partial views for layouts etc, they need to be marked as [AllowAnonymous]. – Botulinus 17/12, 2015 at 15:23

I had the exact same problem and like Jonas' update says, you need to look out for Actions that return Partial Views AND have the [Authorize] attribute.

What you need to do is to remove the [Authorize] attribute and then if your action needs the user to be authenticated to render properly, have your code handle the unauthorized case.

Example is if your page displays the currently logged in user's name via a Partial. Have your action display an empty string or something else if the currently logged in user is not available.

Suburbanize answered 21/5, 2014 at 10:30 Comment(0)

Check your web.config if you have

<authorization>
  <deny users="?" />
</authorization>

its override [AllowAnonymous]

Add to web.config section:

<location path="YourController/AnonymousMethod">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

to allow anonymous access for AnonymousMethod

Tangency answered 18/7, 2017 at 13:0 Comment(0)

It could be that it is working, but there is an error loading the page (e.g. one of the DI dependencies failed) and it is redirecting to your error page and your error page which requires auth. You would need to [AllowAnonymous] your error page.

This was why it was happening to me only when deployed - my DI was working locally.

Pilcher answered 23/5 at 0:5 Comment(0)

Recommended topics

Hot tags