2

I am taking over an existing ASP.NET MVC 5 project in order to try to understand the MVC framework. I have noticed that when a user is not logged in, and he attempts to go to some of the webpages, then it automatically redirects him to the login screen. I believe that this has something to do with the following in the Web.config file:

<authentication mode="Forms">
    <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

However, some webpages allow access to them (and are not redirected as above) even when the user is not logged in.

So my question is: Where do I configure which web pages will be automatically redirected to the login screen, and which web pages can be accessed without authentication?

Karnivaurus
  • 22,823
  • 57
  • 147
  • 247
  • Both answers below (at time of writing: Peter Rasmussen's and Troy Carlson's) are valid :-): you allow a particular "route" to bypass authorization in configuration file, or you can do it at controller level. – G. Stoynev Apr 30 '14 at 18:36

3 Answers3

5

This article explains how to do this with forms authentication. A short snippet of the configuration looks like below. Where default1.aspx is given access to.

<configuration>
   <system.web>
      <authentication mode="Forms">
         <forms loginUrl="~/Account/Login" timeout="2880" />
      </authentication>
      <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
      <authorization>
        <deny users="?" /> 
      </authorization>
   </system.web>
   <!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
   <location path="default1.aspx">
      <system.web>
         <authorization>
            <allow users ="*" />
         </authorization>
      </system.web>
   </location>
</configuration>
Peter Rasmussen
  • 16,474
  • 7
  • 46
  • 63
  • You are confusing WebForms with MVC. While some of the mechanism is similar, the convention (and superior way) is to place attributes on Controllers and Actions as Troy demonstrated. – Dave Alperovich Apr 30 '14 at 21:16
  • @DaveAlperovich I use MVC and using `AllowAnonymous` didn't work for me, because I had ``. However, if I remove this `deny`, for some reason the `HttpContext.Current.User` is null after login (in next requests, not in the login request which user is obvisouly null). I'm still trying to figure out why this happens, it's very strange, since I'm using ASP.NET Identity with cookies/forms authentication. – Alisson Reinaldo Silva Jul 21 '17 at 18:28
  • @DaveAlperovich in my situation `HttpContext.Current.User` is null even for next requests if I remove the `` from my web.config. However, if I keep this `deny` in my web.config, then `AllowAnonymous` stops working. Is this a normal behaviour? – Alisson Reinaldo Silva Jul 21 '17 at 20:27
  • @DaveAlperovich do I need `` when using ASP.NET Identity? – Alisson Reinaldo Silva Jul 21 '17 at 20:29
  • @Alisson, I just wrote a response and then re-read your comment, and realized I misunderstood your dilemma. Obviously the http request will not know your user logged in during the request, but it **should** know on the next request. Yes, that's strange. That means that `HttpContext.Current.User` is never populated in your application? (Your second question about `` having higher priority than `AllowAnonymous` makes sense. The two, ideally, should not be used together... – Dave Alperovich Jul 21 '17 at 20:31
  • @DaveAlperovich I login the user by using `await SignInManager.PasswordSignInAsync(user.UserName, model.Password, model.RememberMe, shouldLockout: true);` in the default `AccountController`. My web.config has `` as well. If I remove ``, on next requests user is null. If keep it, user is populated with a `ClaimsPrincipal`, with their roles stored as claims (default behaviour), and `Authorize(Roles="Admin")` works fine, just `AllowAnonymous` stops working. – Alisson Reinaldo Silva Jul 21 '17 at 20:36
  • 1
    @Alisson, I don't think **Owin** authentication is compatible with Forms Authentication. Try commenting out all references to Forms auth and adding ` ` – Dave Alperovich Jul 21 '17 at 20:43
  • 1
    @DaveAlperovich this was exactly what I was looking for. Removing `` and `` tags from **web.config** solved everything. Much cleaner!!! Thanks for the tips, you made my day. – Alisson Reinaldo Silva Jul 21 '17 at 21:00
4

You can set an [Authorize] attribute on the controller action that will require the user to be authorized, otherwise they will be redirected to the page specified in the config. You can also specify individual roles that are required to access an action or require authorization for all actions on a controller and explicitly turn off authorization for actions.

Authorize Individual Actions

public class HomeController: Controller 
{  
    public string Index() 
    { 
        // Not authorized 
    } 

    [Authorize]
    public string SecretAction() 
    { 
        // Authorized (redirects to login) 
    } 
}

Authorize All Actions

[Authorize]
public class HomeController: Controller 
{  
    public string Index() 
    { 
        // Authorized (redirects to login) 
    } 

    public string SecretAction() 
    { 
        // Authorized (redirects to login) 
    } 
}

Authorize All Actions Except For One

[Authorize]
public class HomeController: Controller 
{  
    public string Index() 
    { 
        // Authorized (redirects to login) 
    } 

    [AllowAnonymous]
    public string PublicAction() 
    { 
        // Not authorized
    } 
}

More here: http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

And here: Authorize attribute in ASP.NET MVC

Community
  • 1
  • 1
Troy Carlson
  • 2,965
  • 19
  • 26
1

An easy workaround if you are doing something simple (like a page or two of public content) is just this:

Response.SuppressFormsAuthenticationRedirect = true;
micahhoover
  • 2,101
  • 8
  • 33
  • 53