I have enabled form authentication in my ASP.NET MVC web application. I want to allow anonymous users access only to some specific pages, including Register.cshtml for instance. I was able to allow access to my CSS-file from my root web.config by doing this.
<location path="Content/Site.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Now I want to allow anonymous access to other pages, like Home and Register. Do any body know how to achieve this?
In MVC you normally use the
[Authorize]attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them – all other actions will be available to anonymous users.In other words, a black-list approach, where actions that require authorization are black-listed for anonymous users using
[Authorize]– all actions (not dressed with the attribute) will be available.Update:
With MVC4 a new attribute has been introduced, namely the
[AllowAnonymous]attribute. Together with the[Authorize]attribute, you can now take a white-list approach instead. The white-list approach is accomplished by dressing the entire controller with the[Authorize]attribute, to force authorization for all actions within that controller. You can then dress specific actions, that shouldn’t require authorization, with the[AllowAnonymous]attribute, and thereby white-listing only those actions. With this approach, you can be confident that you don’t, by accident, forget to dress an action with the[Authorize], leaving it available to anyone, even though it shouldn’t.Your code could then be something like this: