Closed qinyuanpei closed 4 years ago
I'm not sure where you are sticking your [Authorize] attributes, but you can sprinkle them individually on only the Controllers and/or Actions you want to put them on. The Authorize attribute triggers the authentication. So if you take this granular approach instead of application-wide, the authorization would only happen on the things you applied the Authorize attribute to. Then, if a specific Action doesn't have it and also the parent Controller doesn't, then that specific Action would have no authentication.
It's one of those things where like I don't see your code and your situation so I really can't help that much. It's like poking around in the dark for something. ¯\_(ツ)_/¯
Like I said, I have no clue what "thing" you inherited from those outsourced consultants and if my experience tells me anything... I feel bad for you and your team deal with it.
You could also try looking at using the AllowAnonymous attribute on the specific controllers/actions you are looking to not trigger authentication on: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Gives a general overview of authentication and authorization in ASP.NET Web API.
Someone wrote a blog article about it too: https://www.davidhayden.me/blog/asp.net-mvc-4-allowanonymous-attribute-and-authorize-attribute
I'm going to close the issue. If you feel like you have anymore input just comment on this same issue.
ASP.NET MVC 4 includes an AllowAnonymous Attribute for specifying those controller actions that can be seen by anonymous users.
I had try to add [AllowAnonymous]
on Controllers or Actions. I also try to overwrite the [Authorize]
to ignore some url pattern.
But all of this can't works, becase I have a configuration as following:
<authentication mode="Forms">
<forms loginUrl="http://issosit.ysyec.com/isso/login" timeout="30" defaultUrl="~/Home/Index.cshtml" cookieless="UseCookies" slidingExpiration="true" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Just drop the <deny users="?"/>
, so it is my wrong. Thansk for your help!
We have a ASP.NET MVC 4 site which is developed by other people and this is the background. Now we had integrated it with dotnet-cas-client and it works ! But we found this client will block Web API, because people had wrote lots of Web API in a ASP.NET MVC 4 project. So my question is how to ignore specified Controller or Action, I had try to a fix the lifetime of IHttpModule, but it doesn't works. Can you kindly give me some advices?