Allowing access to specific pages with ASP-MVC and Forms Authentication

Question

Here is a simple overview of my directory layout for my views:

Project

• Page 1
• Page 2
• RSS

Issues

• Page 1
• Page 2
• RSS

I am using forms authentication to deny access to all unauthenticated users, that works fine. However, I want to be able to grant access to the RSS views to everyone (so they can subscribe via google reader and stuff)

I understand that you can grant access to pages by adding the following page to your web.config

  <location path="TOURPAGE.aspx">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

However, how would I do this with my dynamically made URL's, such as:

Issues/RSS/chrisj

• That path maps to a controller in issues called RSS, which takes a username and spits out an RSS of thier issues...

EDIT

Some answers I thought had fixed it, but:

It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.

That is no good to me, I need the page to be completely public, as it is an RSS feed.

Answer 1

This was actually much simpler than I thought. Seems .net is quite clever, I tried the following:

  <location path="Issues/RSS">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

And it worked :)

Answer 2

<location path="/Issues/RSS/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

EDIT: The reason this works by the way, is because .NET is assuming that URL goes to a directory, and this location tag above says "anything in the 'Issues/RSS' directory is safe :)

Answer 3

This might not be working as intended.

It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.

That is no good to me, I need the page to be completely public, as it is an RSS feed.

Answer 4

Forget about the <location><allow /><deny /> stuff... sounds like you need to use the [Authorize] attribute on your actions.

Check out these pages for more info: http://www.asp.net/learn/mvc/tutorial-17-cs.aspx http://www.pnpguidance.net/post/ASPNETMVCFrameworkPreview4HandleErrorAuthorizeOutputCacheActionFilterAttributes.aspx

Also, the attribute can be applied at the controller level as well, so you don't have to put it on each individual action.

Answer 5

I agree with Charlino that the [Authorize] tag will probably solve your problem.

If you are using a single controller action for both RSS and a page (and are just rendering a different ActionResult based on some parameter), you can check if the user is authenticated with HttpContext.Current.User.Identity.IsAuthenticated, and use that within the controller action to decide whether or not to continue & allow access.