I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it?
A:
OK, I have got it.
What I did is, I created a separate controller for that action and added a location element in my web.config to allow anonymous access to that action.
This will allow all access to that controller without authentication.
Hash
2010-06-04 06:09:38
+1
A:
You could also have created your own AllowWithoutAuthorisation attribute and decorated that ActionResult with it.
EDIT This is kinda untested but couldn't you do;
[Authorize(Users="*")]
EDIT 2
Or you could decorate each ActionResult with [Authorise] and ommit the one you want not to have authorised.
griegs
2010-06-04 06:18:50
+2
A:
Do not use Web.config <location> authorization in an MVC application. Doing so will lead to security vulnerabilities in your web site.
Instead, use the [Authorize] attribute to control who has access to certain controllers or actions. (You can use the [Authorize] attribute on a controller's type if you want it to apply to all actions in that controller.)
More information:
Levi
2010-06-04 17:17:45