9

I have an ASP.Net MVC app using Integrated Security that I need to be able grant open access to a specific route. The route in question is ~/Agreements/Upload. I have tried a few things and nothing has worked thus far.

<configuration> 
  <location path="~/Agreements/Upload">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

In IIS under Directory Security > Authentication Methods I only have "Integrated Windows Authentication" selected. Now, this could be part of my problem (as even though IIS allows the above IIS doesn't). But if that's the case how do I configure it so that Integrated Security works but allows people who aren't authenticated to access the given route?

Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
vdh_ant
  • 12,720
  • 13
  • 66
  • 86
  • 2
    DANGER, You can't secure your MVC app this way. See http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx – RickAndMSFT Mar 23 '12 at 21:59
  • @RickAndMSFT is on a righteous crusade. I read his blog and I'm sold on the idea that he's right. – MrBoJangles Jan 28 '13 at 22:10

2 Answers2

16

In ASP.NET MVC you should not use the location element in the web.config. Whereas the web forms engine mapped to physical files on disk, the MVC engine using routing. This means that you could inadvertently allow access to a "protected controller" through a custom route by accident.

The recommended way of securing ASP.NET MVC applications is through the use of the Authorize attribute, as seen in the example below: 

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    { 
        return View();
    }
}

The controller action is what you want to protect and not the route. The ASP.NET MVC Security bod, Levi Broderick is rather vocal about this issue:

  1. Excluding an action from authorization in ASP.NET MVC 2
  2. Problem with Authorization with IIS and MVC.
Community
  • 1
  • 1
Rebecca
  • 13,914
  • 10
  • 95
  • 136
  • 2
    For the MVC 4 version see http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx – RickAndMSFT Mar 23 '12 at 21:58
  • @Rick.Anderson-at-Microsoft.com Thanks for that update. The article is interesting. We implemented something very similar in MVC3 to solve the anonymous access controller and/or controller action. – Rebecca Mar 26 '12 at 08:46
-1

You need to allow anonymous access in IIS as well, as otherwise only windows authenticated users will be able to access anywhere in your site. You should deny access by default to anonymous users.

<deny users="?"/>
<allow users="*"/>

In your <location> section, allow anonymous users.

<allow users="?"/>
Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
David Gardiner
  • 16,892
  • 20
  • 80
  • 117
  • When I allows allow anonymous access in IIS I seem to lose the ability to pull out the user name of the people using windows integrated security... – vdh_ant Apr 05 '10 at 23:41
  • Ah.. the tricky bit is according to http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx (ASP.NET Authorization) - "Rules contained in application-level configuration files take precedence over inherited rules" – David Gardiner Apr 06 '10 at 06:23
  • 2
    This answer is not only wrong, its dangerous, as pointed out by a comment on the question. – Andy Apr 30 '12 at 15:30