2

I am trying to determine how to configure access to a Web API controller service under forms authentication. If I add authorization configuration to deny all anonymous users by adding the authorization element:

<authorization>
   <!-- Deny all anonymous users -->
   <deny users="?" />
</authorization>

Only the login page is accessible as expected. But I would also like access to a list returned from a controller. I added the [AllowAnonymous] attribute to a simple service that returns values used to populate a drop down menu. For example:

namespace WebAPI.Controllers
{
    public class RegisterController : ApiController
    {
        [AllowAnonymous]
        public List<ListElement> GetActivitiesList()
        {
            List<ListElement> li = new List<ListElement>();

            li.Add(new ListElement() { Id = 1, Text = "Item 1" });
            li.Add(new ListElement() { Id = 2, Text = "Item 2" });
            li.Add(new ListElement() { Id = 3, Text = "Item 3" });

            return li;

        }

    }
}

I added the controllers directory to the allowed list in the web.config:

<location path="Controllers">
   <system.web>
   <authorization>
      <allow users="*" />
   </authorization>
   </system.web>
</location>

If I browse my sample page to invoke the controller, forms authentication still denies access with a 302 redirect to the login page, even if I add the [AllowAnonymous] attribute. If I remove the authorization element "<deny users="?" />" for the entire site, I can control access using the [Authorize] and [AllowAnonymous] attributes.

The objective is to be able to use specific services on a few pages (like registration) for anonymous users, while the rest of site access is restricted to authenticated users. Accessing a service is not exactly the same as accessing a file, so my guess is that I have to write a special handler for this situation, but I am not sure as to how to go about it.

Improve this question
1
  • I should have mentioned that I am updating a Web Forms app, augmented with Web API installed via NuGet. The project is not an MVC app. It may be that the best thing to do is create a new Web API app at this point, given the potential security risks. Thanks for that pointer. Commented Dec 30, 2012 at 7:48

2 Answers 2

Reset to default
5

First off, don't use the old-school ASP.NET allow/deny mechanism to control access when you are using ASP.NET MVC. I don't think this is supported, and may instead create security holes in your site (source). The correct way to control access in ASP.NET MVC is to use the [Authorize] and [AllowAnonymous] attributes on your controller classes and/or methods as you alluded to in your question.

If you want to make it so that your whole application requires a login for every method except a couple, you can apply the [Authorize] attribute at the class level to all your controllers, and then apply the [AllowAnonymous] attribute at the method level for those methods that should not require authentication. There is also a way to write a FilterProvider, such that it will automatically apply the [Authorize] attribute programmatically to any controller that does not have such an attribute already applied. This is handy because it then you can't accidentally forget to apply the [Authorize] attribute. See this article for details on how to do that. Note that the [AllowAnonymous] attribute introduced in MVC4 performs the same function as the custom [Public] attribute the author describes in the article. See also this article which talks about securing an MVC application in general. Both articles are a little bit dated (2011), but the basic ideas are still sound.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

So first of all we don't know anything about the rest of the app - is it MVC or WebForms?

If you app is MVC, i totally agree with Brian that you should use [Authorize] and [AllowAnoynmous] on all your controllers.

If you can't do that - you can indeed "punch holes" into the rules - but you need to use the "real" URLs, like

..and yeah - be careful ;)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.