ASP.net MVC global Authorize filter forcing login on an AllowAnonymous action

Question

Setup (using MVC 4)

public class MyAuthorizeAttribute : AuthorizeAttribute {

    protected override bool AuthorizeCore(HttpContextBase httpContext) {

        var isAuthorised = base.AuthorizeCore(httpContext);

        if(isAuthorised) {
            // retrieve authentication ticket from cookie and
            // create custome principal and attach to 
            // httpContext.User
        }

        return isAuthorised;
    }
}

Gloabl.asax.cs:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new MyAuthorizeAttribute());
}

HomeController.cs:

using System.Web.Mvc;

public class HomeController : Controller
{
    [AllowAnonymous]
    public ActionResult Index()
    {
        return View();
    }
}

Problem

A call to the home page forces the login page to load.

Question

When the HomeController.Index() action is decorated with [AllowAnonymous], why does ASP redirect me to the login view ?

I am using this article for reference

I just checked with the built-in Authorize and it's working fine for me. May be you have to check with your custom authorize code. — VJAI, Jun 14 '12 at 13:03
I've tried with the built-in Authorize attribute, replacing the attribute being added to the global filter in my global.asax but i'm still being redirected to the login page when calling the index action on the home controller. Am I missing something? Some setting in my web config? I have no membership provider, role provider or profile provider configured. Should I have? — Alan Alcock, Jun 14 '12 at 20:00
The forms authentication settings in the web.config is the one redirects to the login page. But you don't need to additional settings. I tried by creating a fresh MVC 4 application/Internet template marking the Home controller with Authorize and Index action with AllowAnonymous and it's worked as expected. — VJAI, Jun 15 '12 at 02:16
Thanks for the confirmation that everything works as expected Mark. I went back to basics and created a simple internet application and sure enough it does work. It led me to investigate other reasons why. Turns out, the index page was calling Actions on other controllers that returned partial views. I went through every action being called and applied the correct attributes and you are right it does work. Many thanks for your help. Persistence and effort paid off. — Alan Alcock, Jun 15 '12 at 07:50

score 11 · Answer 1 · answered Jun 15 '12 at 07:51

11

As per my comment on the original question. Problem was index view was calling actions on other controllers that returned partial views. Just a case of going through everything and stripping out the old [Authorize] attribute.

answered Jun 15 '12 at 07:51

Alan Alcock

787
1
11
26

4

If this solved the problem, mark it as the answer. You can answer your own questions. – AJ. Jan 23 '13 at 15:25
Great find! I was banging my head against the wall on this one! Could not figure out why I would "log out" and returning to my home page would automatically take me through the log in process again. Thank you! – Airn5475 May 11 '15 at 17:05

score 5 · Answer 2 · answered Jun 28 '13 at 15:13

5

Although the original poster has found the cause in his case, I would like to share my resolution, as I came across this question when faced with the same symptoms.

In my web.config file I had, obeying the logic of webforms:

<authorization>
  <deny users="?" />
</authorization>

You must not have this, as it will prevent the request from executing any action without logging in first, except for the login action to which the redirection takes place. I only discovered this when I tried to add a second public action.

answered Jun 28 '13 at 15:13

R. Schreurs

8,587
5
43
62

I did the same thing. Discovered when added another public action. – Mitul Jan 31 '14 at 18:19
Thanks for adding this, just helped me out, four years after posting! – Dan Schnau Aug 10 '17 at 17:05

score 2 · Answer 3 · answered Nov 22 '12 at 13:19

I had similar problem and in the end I've used wrong AllowAnonymousAttribute class. There are two AllowAnonymousAttribute classes:

one from System.Web.Http namespace
another one from System.Web.Mvc namespace

In your case you have to use of course the one from System.Web.Mvc :)

I've spend more then one hour to figure it out in my program

score -1 · Answer 4 · edited May 23 '17 at 12:00

-1

Though this not an answer but..

Try with the built-in Authorize code and make sure AllowAnonymous is working fine. I see in your custom authorize comments you are trying to

retrieve authentication ticket from cookie and create custome principal and attach to httpContext.User

I would suggest you do that process very earlier in the Application_AuthenticateRequest of Global.asax.cs as specified in this thread.

edited May 23 '17 at 12:00

Community

1
1

answered Jun 14 '12 at 13:12

VJAI

32,167
23
102
164

as per my comment above, i've tried using AuthorizeAttribute but still redirecting to login. What gives? – Alan Alcock Jun 14 '12 at 21:50

ASP.net MVC global Authorize filter forcing login on an AllowAnonymous action

4 Answers4

Linked