AllowAnonymous no longer working ?

Feb 28, 2013 at 7:23 PM

I've just started using the assembly and am running into some problems, let me tell you what I did so far :

I've installed the NuGet package MvcAuthorization.1.0.1 into my project.
I've created a project specific AuthorizationProvider and a MvcDependencyResolver returning that AuthorizationProvider. I've added

DependencyResolver.SetResolver(new MvcDependencyResolver());

To the Application_Start() in global.asax.cs

I've added

filters.Add(new MvcAuthorization.AuthorizeFilter());
filters.Add(new System.Web.Mvc.AuthorizeAttribute()); // so all actions are authorized, except when the AllowAnonymous attribute is used...

to the FilterConfig

Now when I start my mvc4 app even the Account/Login action gets authorized and fails since no one is logged in yet ...

commenting the DependencyResolver line from the global.asax.cs does solve the problem but then I can't use the mvcauthorization and the logged-on user can do anything, even those actions for which he's not authorized...

I'm not using the web.config to store my authorization, I've created my own subclass of AuthorizationProvider using the overrides LoadActionAuthorizationDescriptor and LoadControllerAuthorizationDescriptor.

I'm pretty sure I've missed something but since there's no documentation or further example code from wich I can solve the issue I thought I'd ask the experts right here :o)

Any help would be greatly appreciated.

Jul 18, 2013 at 3:27 AM

In v2 of this you can achieve this through policies and remove the "filters.Add(new System.Web.Mvc.AuthorizeAttribute());" line. Here's an example from the config (but you can also return this information from your database). It works by denying anonymous access for everything, unless ignoreInherited is set to true for that policy:

  <policy name="DenyNoRoleAccess" />
  <policy name="DenyAnonymousAccess" />
   <controller name="Account">
          <action name="LogOn">
              <policy ignoreInherited="true" name="DenyNoRoleAccess" /> <!-- Allow no role access for Login action -->
              <policy ignoreInherited="true" name="DenyAnonymousAccess" />  <!-- Allow anonymous access for Login action -->