2

I have a MVC 4 application that uses Simple Membership. Locally, on the dev box (IIS Express) it works fine. If I attempt to access a controller action decorated with the [Authorize] attribute I get returned to the login page as specified in the web.config.

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

The login action is decorated appropriately:

[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
...
}

On the live server when I try to access a controller method decorated with the [Authorize] attribute I do indeed get directed to the /Account/Login page but I am also presented with the error:

401 - Unauthorized: Access is denied due to invalid credentials.

The IIS site Authentication configuration does have Anonymous and Forms authentication enabled. The application pool is running under the 'Network Service' identity and has 'Load User Profile' as True in order to work with an IIS Local DB used for authentication.

Any ideas why I should be getting the 401?

UPDATE 1

I can confirm my _layout page is not calling any partials from any other controller marked with the [Authorize] attribute as determined in this article.

ChrisCurrie
  • 1,589
  • 6
  • 15
  • 36
  • is there more than one `Login` action? `public ActionResult Login()` without the string? – Christian Phillips Nov 18 '13 at 20:17
  • Does the AccountController have an Authorize decoration? – Andy T Nov 18 '13 at 20:23
  • Hi @christiandev. No, just the one Login action. Thanks. – ChrisCurrie Nov 18 '13 at 20:23
  • Hi @Queti M. Porta. Yes the AccountController does have an Authorize decoration. I did try removing it but I had the same issue. Many thanks. – ChrisCurrie Nov 18 '13 at 20:28
  • Can you get to any of the actions? like `home/index`? is there something special on the login view like some kind of 3rd party captcha? – Christian Phillips Nov 18 '13 at 20:36
  • Did you try setting the location attribute to specifically allow 'loginUrl="~/Account/Login"'? See here: http://support.microsoft.com/kb/316871 – Mike Cheel Nov 18 '13 at 20:41
  • Thanks @christiandev. I can get Home/Index which does not utilise [Authorize]. I am not using any 3rd party components. – ChrisCurrie Nov 18 '13 at 20:41
  • Thanks @Mike Cheel. I have now tried several various of the location attribute with no joy. I did wonder if this works the MVC routing and then found this article [link](http://stackoverflow.com/questions/11765030/how-to-lock-down-paths-in-asp-net-mvc-4) which does suggest: "You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute..". Many thanks. – ChrisCurrie Nov 18 '13 at 20:54
  • I have recently started a new side project (mvc 5) where I had similar issue and setting the location attribute for the appropriate area did work for me. I have seen what you are referring to with the Authorize attribute. The attribute basically does a check against HttpContext.User.Identity.IsAuthenticated so if web.config says no then this will be false. – Mike Cheel Nov 18 '13 at 22:18
  • Is this a public URL? Have you used chrome tools or fiddler to see if your getting anymore info there? Also, worth switching on tracing and just writing a few logs at certain points. – Christian Phillips Nov 18 '13 at 22:28
  • Thanks all. I have added an answer that exposes me for the muppet I am! I appreciate all your help. – ChrisCurrie Nov 18 '13 at 22:44

2 Answers2

0

You might need to allow access to the URL

<location path="Account/Login">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>
Andy T
  • 10,223
  • 5
  • 53
  • 95
  • Thanks @Queti M. Porta. I have now tried several various of the location attribute with no joy. I did wonder if this works with MVC routing and then found [this article](http://stackoverflow.com/questions/11765030/how-to-lock-down-paths-in-asp-net-mvc-4) which suggests: "You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute..". Many thanks. – ChrisCurrie Nov 18 '13 at 20:56
0

OK, I stripped this right back and found the issue was indeed due to a partial view reference on the login page, left over from the original MVC 4 Internet Application project template. 

@Html.Action("ExternalLoginsList", new { ReturnUrl = ViewBag.ReturnUrl })

This partial view did utilize a controller action that I had inadvertently decorated with the [Authorize] attribute. 

[Authorize(Users = "support,admin")]
[ChildActionOnly]
public ActionResult ExternalLoginsList(string returnUrl)
    {
        ViewBag.ReturnUrl = returnUrl;
        return PartialView("_ExternalLoginsListPartial", OAuthWebSecurity.RegisteredClientData);
    }

Total human error in the end :(

ChrisCurrie
  • 1,589
  • 6
  • 15
  • 36