Is there any way to ignore specified Controller or Action?

[qinyuanpei]

We have a ASP.NET MVC 4 site which is developed by other people and this is the background. Now we had integrated it with dotnet-cas-client and it works ! But we found this client will block Web API, because people had wrote lots of Web API in a ASP.NET MVC 4 project. So my question is how to ignore specified Controller or Action, I had try to a fix the lifetime of IHttpModule, but it doesn't works. Can you kindly give me some advices?

[phantomtypist]

I'm not sure where you are sticking your [Authorize] attributes, but you can sprinkle them individually on only the Controllers and/or Actions you want to put them on. The Authorize attribute triggers the authentication. So if you take this granular approach instead of application-wide, the authorization would only happen on the things you applied the Authorize attribute to. Then, if a specific Action doesn't have it and also the parent Controller doesn't, then that specific Action would have no authentication.

[phantomtypist]

It's one of those things where like I don't see your code and your situation so I really can't help that much. It's like poking around in the dark for something. ¯\_(ツ)_/¯

[phantomtypist]

Like I said, I have no clue what "thing" you inherited from those outsourced consultants and if my experience tells me anything... I feel bad for you and your team deal with it.

You could also try looking at using the AllowAnonymous attribute on the specific controllers/actions you are looking to not trigger authentication on: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

Authentication and Authorization in ASP.NET Web API

Gives a general overview of authentication and authorization in ASP.NET Web API.

[phantomtypist]

Someone wrote a blog article about it too: https://www.davidhayden.me/blog/asp.net-mvc-4-allowanonymous-attribute-and-authorize-attribute

I'm going to close the issue. If you feel like you have anymore input just comment on this same issue.

ASP.NET MVC 4 AllowAnonymous Attribute and Authorize Attribute

ASP.NET MVC 4 includes an AllowAnonymous Attribute for specifying those controller actions that can be seen by anonymous users.

[qinyuanpei]

I had try to add [AllowAnonymous] on Controllers or Actions. I also try to overwrite the [Authorize] to ignore some url pattern. But all of this can't works, becase I have a configuration as following:

<authentication mode="Forms">
   <forms loginUrl="http://issosit.ysyec.com/isso/login" timeout="30" defaultUrl="~/Home/Index.cshtml" cookieless="UseCookies" slidingExpiration="true" path="/"/>
</authentication>
<authorization>
   <deny users="?"/>
   <allow users="*"/>
</authorization>

Just drop the <deny users="?"/>, so it is my wrong. Thansk for your help!