6

Here is a simple overview of my directory layout for my views:

Project

  • Page 1
  • Page 2
  • RSS

Issues

  • Page 1
  • Page 2
  • RSS

I am using forms authentication to deny access to all unauthenticated users, that works fine. However, I want to be able to grant access to the RSS views to everyone (so they can subscribe via google reader and stuff)

I understand that you can grant access to pages by adding the following page to your web.config

  <location path="TOURPAGE.aspx">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

However, how would I do this with my dynamically made URL's, such as:

Issues/RSS/chrisj
  • That path maps to a controller in issues called RSS, which takes a username and spits out an RSS of thier issues...

EDIT

Some answers I thought had fixed it, but:

It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.

That is no good to me, I need the page to be completely public, as it is an RSS feed.

Improve this question

5 Answers 5

Reset to default
4

This was actually much simpler than I thought. Seems .net is quite clever, I tried the following:

  <location path="Issues/RSS">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

And it worked :)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3
+50

Forget about the <location><allow /><deny /> stuff... sounds like you need to use the [Authorize] attribute on your actions.

Check out these pages for more info: http://www.asp.net/learn/mvc/tutorial-17-cs.aspx http://www.pnpguidance.net/post/ASPNETMVCFrameworkPreview4HandleErrorAuthorizeOutputCacheActionFilterAttributes.aspx

Also, the attribute can be applied at the controller level as well, so you don't have to put it on each individual action.

Improve this answer

1 Comment

hey hi, I am doing this exact thing and its working great, but my index page forces people to login and I dont want that. I have the whole class and controller methods with [allowannonymous] but its still forcing login. can you help with that?
2 
<location path="/Issues/RSS/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

EDIT: The reason this works by the way, is because .NET is assuming that URL goes to a directory, and this location tag above says "anything in the 'Issues/RSS' directory is safe :)

Improve this answer

1 Comment

This doesn't work for me as it complains that it can't end or start with a "/". "~/Issues" works, but not "/Issues" or "~/Issues/".
0

This might not be working as intended.

It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.

That is no good to me, I need the page to be completely public, as it is an RSS feed.

Improve this answer

Comments

0

I agree with Charlino that the [Authorize] tag will probably solve your problem.

If you are using a single controller action for both RSS and a page (and are just rendering a different ActionResult based on some parameter), you can check if the user is authenticated with HttpContext.Current.User.Identity.IsAuthenticated, and use that within the controller action to decide whether or not to continue & allow access.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.