How to Allow an Anonymous User Access to Some Given Page in MVC

How to allow an anonymous user access to some given page in MVC?

In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them - all other actions will be available to anonymous users.

In other words, a black-list approach, where actions that require authorization are black-listed for anonymous users using [Authorize] - all actions (not dressed with the attribute) will be available.

Update:

With MVC4 a new attribute has been introduced, namely the [AllowAnonymous] attribute. Together with the [Authorize] attribute, you can now take a white-list approach instead. The white-list approach is accomplished by dressing the entire controller with the [Authorize] attribute, to force authorization for all actions within that controller. You can then dress specific actions, that shouldn't require authorization, with the [AllowAnonymous] attribute, and thereby white-listing only those actions. With this approach, you can be confident that you don't, by accident, forget to dress an action with the [Authorize], leaving it available to anyone, even though it shouldn't.

Your code could then be something like this:

[Authorize]
public class UserController : Controller {

   [AllowAnonymous]
   public ActionResult LogIn () {
      // This action can be accessed by unauthorized users
   }

   public ActionResult UserDetails () {
      // This action can NOT be accessed by unauthorized users
   }
}

How to allow anonymous access only to the front page of a website?

if you want to enable anonymous access to controllers / actions you have to enable it in your Web.Config:

<location path="Home/Index">
  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>
</location>

A better approach for a pure MVC app is to use the Authorize attribute and enable access to all users in the web.config.

public void Application_BeginRequest()
{
    if (Request.AppRelativeCurrentExecutionFilePath == "~/")
        HttpContext.Current.RewritePath("/Home/Index");
}

It is working i have checked that.

Allow Anonymous to call certain action in asp.net mvc 3

As you are denying everyone from application by using.

<authorization>
    <deny users="?"/>
</authorization>

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute()); //Added
}

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

If you are using ASP.NET MVC4, For action which require Anonymous access use AllowAnonymous attribute

[AllowAnonymous]
public ActionResult ForgotPassword() {
    //More over when i place a breakpoint for the below line 
    //its not even getting here
    return View("Login");;   
}

As per Reference, You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

Allow anonymous access to controller action

modifying the location path attribute worked for me.

<location path="Item/WebGallery">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Attribute for only allow anonymous in ASP.Net MVC

I don't think there's an existing one, but there's no reason you can't roll your own. However, I would point out that it seems odd that you'd go to the extra effort to restrict content to an authenticated user:

public class AnonymousOnly : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
             // Do what you want to do here, e.g. show a 404 or redirect
        }
    }
}

Then just decorate your class/method with this new attribute:

[AnonymousOnly]
public ActionResult Login(string returnUrl = "")
{
    // code
}

Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion

Add this to your Web.config. Here, my controller is named "WebhookController".

<location path="Webhook">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

See this KB article for more info.

Edit
- As Erik mentioned below, in MVC applications you should not use web.config <authorization> tags for security. Instead, use [Authorize] attributes. Doing so will allow your [AllowAnonymous] attributes to work correctly. You can read more about this here.

---

Related Topics