Home/ Questions/Q 9072933
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T18:17:33+00:00

I am trying to determine how to configure access to a Web API controller

  • 0

I am trying to determine how to configure access to a Web API controller service under forms authentication. If I add authorization configuration to deny all anonymous users by adding the authorization element:

<authorization>
   <!– Deny all anonymous users –>
   <deny users=”?” />
</authorization>

Only the login page is accessible as expected. But I would also like access to a list returned from a controller. I added the [AllowAnonymous] attribute to a simple service that returns values used to populate a drop down menu. For example:

namespace WebAPI.Controllers
{
    public class RegisterController : ApiController
    {
        [AllowAnonymous]
        public List<ListElement> GetActivitiesList()
        {
            List<ListElement> li = new List<ListElement>();

            li.Add(new ListElement() { Id = 1, Text = "Item 1" });
            li.Add(new ListElement() { Id = 2, Text = "Item 2" });
            li.Add(new ListElement() { Id = 3, Text = "Item 3" });

            return li;

        }

    }
}

I added the controllers directory to the allowed list in the web.config:

<location path=”Controllers”>
   <system.web>
   <authorization>
      <allow users=”*” />
   </authorization>
   </system.web>
</location>

If I browse my sample page to invoke the controller, forms authentication still denies access with a 302 redirect to the login page, even if I add the [AllowAnonymous] attribute. If I remove the authorization element “<deny users=”?” />” for the entire site, I can control access using the [Authorize] and [AllowAnonymous] attributes.

The objective is to be able to use specific services on a few pages (like registration) for anonymous users, while the rest of site access is restricted to authenticated users. Accessing a service is not exactly the same as accessing a file, so my guess is that I have to write a special handler for this situation, but I am not sure as to how to go about it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First off, don’t use the old-school ASP.NET allow/deny mechanism to control access when you are using ASP.NET MVC. I don’t think this is supported, and may instead create security holes in your site (source). The correct way to control access in ASP.NET MVC is to use the [Authorize] and [AllowAnonymous] attributes on your controller classes and/or methods as you alluded to in your question.

    If you want to make it so that your whole application requires a login for every method except a couple, you can apply the [Authorize] attribute at the class level to all your controllers, and then apply the [AllowAnonymous] attribute at the method level for those methods that should not require authentication. There is also a way to write a FilterProvider, such that it will automatically apply the [Authorize] attribute programmatically to any controller that does not have such an attribute already applied. This is handy because it then you can’t accidentally forget to apply the [Authorize] attribute. See this article for details on how to do that. Note that the [AllowAnonymous] attribute introduced in MVC4 performs the same function as the custom [Public] attribute the author describes in the article. See also this article which talks about securing an MVC application in general. Both articles are a little bit dated (2011), but the basic ideas are still sound.

    • 0