Web API anonymous service access with forms authentication

Question

I am trying to determine how to configure access to a Web API controller service under forms authentication. If I add authorization configuration to deny all anonymous users by adding the authorization element:

Only the login page is accessible as expected. But I would also like access to a list returned from a controller. I added the [AllowAnonymous] attribute to a simple service that returns values used to populate a drop down menu. For example:

namespace WebAPI.Controllers
{
    public class RegisterController : ApiController
    {
        [AllowAnonymous]
        public List<ListElement> GetActivitiesList()
        {
            List<ListElement> li = new List<ListElement>();

            li.Add(new ListElement() { Id = 1, Text = "Item 1" });
            li.Add(new ListElement() { Id = 2, Text = "Item 2" });
            li.Add(new ListElement() { Id = 3, Text = "Item 3" });

            return li;

        }

    }
}

I added the controllers directory to the allowed list in the web.config:

If I browse my sample page to invoke the controller, forms authentication still denies access with a 302 redirect to the login page, even if I add the [AllowAnonymous] attribute. If I remove the authorization element "<deny users="?" />" for the entire site, I can control access using the [Authorize] and [AllowAnonymous] attributes.

The objective is to be able to use specific services on a few pages (like registration) for anonymous users, while the rest of site access is restricted to authenticated users. Accessing a service is not exactly the same as accessing a file, so my guess is that I have to write a special handler for this situation, but I am not sure as to how to go about it.

I should have mentioned that I am updating a Web Forms app, augmented with Web API installed via NuGet. The project is not an MVC app. It may be that the best thing to do is create a new Web API app at this point, given the potential security risks. Thanks for that pointer. — John, Dec 30 '12 at 07:48

score 5 · Accepted Answer · edited May 23 '17 at 12:28

First off, don't use the old-school ASP.NET allow/deny mechanism to control access when you are using ASP.NET MVC. I don't think this is supported, and may instead create security holes in your site (source). The correct way to control access in ASP.NET MVC is to use the [Authorize] and [AllowAnonymous] attributes on your controller classes and/or methods as you alluded to in your question.

If you want to make it so that your whole application requires a login for every method except a couple, you can apply the [Authorize] attribute at the class level to all your controllers, and then apply the [AllowAnonymous] attribute at the method level for those methods that should not require authentication. There is also a way to write a FilterProvider, such that it will automatically apply the [Authorize] attribute programmatically to any controller that does not have such an attribute already applied. This is handy because it then you can't accidentally forget to apply the [Authorize] attribute. See this article for details on how to do that. Note that the [AllowAnonymous] attribute introduced in MVC4 performs the same function as the custom [Public] attribute the author describes in the article. See also this article which talks about securing an MVC application in general. Both articles are a little bit dated (2011), but the basic ideas are still sound.

score 0 · Answer 2 · answered Dec 24 '12 at 10:16

So first of all we don't know anything about the rest of the app - is it MVC or WebForms?

If you app is MVC, i totally agree with Brian that you should use [Authorize] and [AllowAnoynmous] on all your controllers.

If you can't do that - you can indeed "punch holes" into the rules - but you need to use the "real" URLs, like

..and yeah - be careful ;)

Web API anonymous service access with forms authentication

2 Answers2