4

I am trying to understand how [AllowAnonymous] tag works.

I have the following method

[HttpGet]
public ActionResult Add()
{
    return View();
}

When I am not logged in, I am able to open this page. I have been under the impression that I can do that only if I put [AllowAnonymous] tag above the method that I should be able to do that. Is there a setting that I need to turn on to make this work?

Bagzli
  • 6,254
  • 17
  • 80
  • 163
  • [AllowAnonymous] is only relevant when you have you have Authorization activated, for example when the [Authorize]-filter is present. – Philip Jan 03 '16 at 18:56
  • @Nakata I tried add `[Authorize]` above it as well, but it had no effect. How would I make this work? – Bagzli Jan 03 '16 at 18:58
  • How is your MVC application hosted? IIS with Windows Authentication, IIS Express with allowed Windows Authentication etc.? – Alexei - check Codidact Jan 03 '16 at 19:00
  • @Alexei at the moment just localhost on a windows 7, but when deployed will be windows hosting on iis server – Bagzli Jan 03 '16 at 19:01
  • 1
    @ Bagzli Where are you placing the [Authorize] filter in that case? If you want to make your "Add()"-method anonymous you should place it above the class/controller wrapping the method. – Philip Jan 03 '16 at 19:01
  • @Nakata just above the `[HttpGet]` attribute – Bagzli Jan 03 '16 at 19:02
  • Yes, localhost, but there are several options: Developer Server, IIS Express, IIS 7 / 7.5? I am asking that because IIS / Express may be configured to use Windows Authentication which will automatically authorize you. Removing Windows Authentication and allowing anonymous authentication I think can be used to test if your functionality is really accessible to non-authenticated users. – Alexei - check Codidact Jan 03 '16 at 19:04

1 Answers1

9

[AllowAnonymous] attribute is working only when you use [Authorize] attribute on a Controller level. For example, you use [Authorize] attribute on a AccountController. Also you want your users to be allowed for Login method without authentification. In this way you use [AllowAnonymous] attribute on a Login method. In this case your users will be able to login to your site, because [AllowAnonymous] allows it

Does it make sense?

Andrew
  • 1,474
  • 4
  • 19
  • 27