tags:

views:

44

answers:

1
+1  Q: 

How to make ASP.NET MVC View Insecure via location tag in Web.Config

I have the following authorization settings in my web.config:

 <authorization>
      <deny users="?" />
 </authorization>

This deny's all anonymous access to the application accept the login page. In addition to this I am using authorization within each controller action via a custom authorize attribute.

I have one additional action that I would like to expose publicly in addition to the login page. This particular action does not have the authorization attribute on it. I have tried to make this view (resetPassword view) public by using the location tag in the web.config file like so:

 <location path="Account/ResetPassword" allowOverride="false">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

In the path attribute above I have tried both the view as well as the action path, but it doesnt allow public access to the action.

I have even tried to put this view in a separate folder within the shared folder and put a separate web.config file to make that folder public like so:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</configuration>

None of the above configuration allow me to make this particular action (view) public. Can anyone suggest any other solutions, or what I may be doing wrong in this case? Thanks in advance.

+1  A: 

You can remove the authorization tag from the web config and just use the authorize attribute. The action without the Authorize atttribute set will be public.

I had the same problem some time ago. Please have a look to this question and its answers

If you want to do it using the web config then use code like this

<!-- Allow access to _assets directory -->
<location path="_assets">
    <system.web>
       <authorization>
           <allow users="?"/>
       </authorization>
    </system.web>
</location>

In your sample you are using "*" but you should use "?" ;)

Lorenzo  2010-10-11 00:22:32
@Lorenzo: I understand that but I am under the assumption that this way there is a second level of security implemented by the web.config over the entire contents of the web application. I wanted to keep that as well. Is there a way I can do that?
Nosh  2010-10-11 00:27:53
@Nosh: I have edited my answer as per your requirement. Try with this.
Lorenzo  2010-10-11 00:35:11
@Lorenzo: Thank you for your help, unfortunately changing the character doesnt resolve the issue for me.
Nosh  2010-10-11 01:07:58
@Nosh: sorry it did not help. I use the code that I have posted to make the assets (js, css, images) available also if the user is not logged in and it works. But in my case that's a real path. In your case the Controller/Action is not a path on the file system so I think you should remove the "second level of security" and just rely on the Authorize attribute that is what you really need. Good luck!
Lorenzo  2010-10-11 01:18:50
@Lorenzo: I agree, I think the location attribute is more suited for a web forms environment where there are actual physical pages in the application. Otherwise the ASP.NET MVC team needs to look into this and implement the location attribute for MVC as well. But for the time the Authorize attribute will have to do and will provide the only level of security.
Nosh  2010-10-11 02:29:26

related questions

Redirecting to specified controller and action in asp.net mvc 2 action filter
Rendering the field name in an EditorTemplate (rendered through EditorFor())
Missing Classes and Methods in ASP.net MVC 2
using Html.EditorFor with an IEnumerable<T>
ASP.NET MVC and ViewState
ASP.NET MVC 2 DisplayFor()
Maintaining ViewData between RenderAction calls
ASP.NET MVC - Current Action from controller code?
Is it a good idea to put content access logic in a BaseController?
HttpModule with ASP.NET MVC not being called
Ways to define an ASP.NET MVC Route
ASP.NET MVC 2 Preview 1 - DataAnnotation Validation with complex model object
ASP.NET MVC 2 Preview 1 - Problem compiling StructureMap Controller Factory
ASP.NET-MVC2 Preview 1: Are There Any Breaking Changes?
Site navigation for an 'Admin' application in ASP.NET MVC
Html.LabelFor Specified Text [ASP.NET MVC 2]
Is it viable to use ASP.NET MVC 2 Preview 1 in a production application?
Unit tests on MVC validation
Form input validation options in ASP.NET MVC 1.0+
Validation: Model or ViewModel
ASP.NET MVC 2 editor template for value types, int
ASP.NET MVC 2 Preview 1 - what is the best way to implement areas?
ASP.NET MVC 2.0 overview information?
Passing Controller a FormCollection and an IList<T>
Best ASP.NET MVC book?