Excluding an action from authorization in ASP.NET MVC 2

Question

I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it?

score 4 · Answer 1 · answered Jun 04 '10 at 17:17

4

Do not use Web.config <location> authorization in an MVC application. Doing so will lead to security vulnerabilities in your web site.

Instead, use the [Authorize] attribute to control who has access to certain controllers or actions. (You can use the [Authorize] attribute on a controller's type if you want it to apply to all actions in that controller.)

More information:

answered Jun 04 '10 at 17:17

Levi

32,493
3
85
88

Isn't there a "good" way to manage these authorization rules other than compiling them into website? I'd love to be able to tweak the rules without having to redeploy the app. – Al W Dec 16 '11 at 08:26
see http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx for the MVC 4 version of Levi's comments – RickAndMSFT Mar 23 '12 at 21:57

score 2 · Answer 2 · edited May 23 '17 at 09:58

2

Try this slick way to do it.

It adds the ability to exclude Controller-level filters from an action.

[ExcludeFilter(typeof(AuthorizeAttribute)]  
public ActionMethod DontAuthorize.....

Much easier!

edited May 23 '17 at 09:58

Community

1
1

answered Jan 13 '11 at 19:27

Steve Potter

1,830
1
21
24

griegs · Answer 3 · 2010-06-04T06:26:13.733

1

You could also have created your own AllowWithoutAuthorisation attribute and decorated that ActionResult with it.

EDIT This is kinda untested but couldn't you do;

[Authorize(Users="*")]

EDIT 2

Or you could decorate each ActionResult with [Authorise] and ommit the one you want not to have authorised.

edited Jun 04 '10 at 06:26

answered Jun 04 '10 at 06:18

griegs

22,294
32
120
203

None of these work since the Authorize attribute on the controller runs even after the Action runs. – bmavity Mar 04 '13 at 22:34
1

I used `[AllowAnonymous]` – Jeremy Oct 03 '13 at 05:36

score 0 · Answer 4 · answered Jun 04 '10 at 06:09

0

OK, I have got it.

What I did is, I created a separate controller for that action and added a location element in my web.config to allow anonymous access to that action.

This will allow all access to that controller without authentication.

answered Jun 04 '10 at 06:09

Hash

801
6
19

score 0 · Answer 5 · answered Jun 03 '21 at 09:56

0

Adding the [AllowAnonymous] attribute to the method (as recommended by Jeremy) worked for me as well.

answered Jun 03 '21 at 09:56

Gedeon

422
6
11

Excluding an action from authorization in ASP.NET MVC 2

5 Answers5

Linked