I registered a MessageHandler (with config.MessageHandlers.Add(new ValidationHandler()) which inherits from DelegatingHandler. It checks each Request for a security token and checks if it is valid.
I got 2 or 3 actionmethods in my Controller which should be accessabel without any authorization.
My Problem: The MessageHandler is called first. So the actionmethod which should be accessabel from everywhere will be handled as a unauthorized request. I'm not abel to change the code of the MessageHandler. I tried to add the allowanonymous attribute, but i still get an unauthorized response.
I found this post Redirecting unauthorized controller in ASP.NET MVC . So my current idea would be to forward the user on the HandleUnauthorizedRequest to the proper action method. But I think it's not the best way.
Is there a better way for this? Is there a way to tell the web.config that actionmethod1 and actionmethod2 are allowed to be accessed as Unauthorizeded user?
[Edit] Creating an UnAuthorizeAttribute with the AuthorizeAttribute which forwards the user still to the action methods doesn't work. The messagehandler "kills" the request with
statusCode = HttpStatusCode.Unauthorized;
return Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(statusCode));
So the UnAuthorizeAttribute will not be invoked. I'm using asp.net mvc webapi
