2

I'm developing an ASP.NET MVC 5 app with a Web Api service in C# and .NET Framework 4.5.1.

I have enabled <authentication mode="Windows" /> on Web.configand added the following on ASP.NET MVC Controllers:

[Authorize(Roles = @"MyDomain\MyRole")]
public class ReportController : Controller

But I don't need Windows Authentication on ApiController. How can I enable anonymous access to ApiControllers?

Amna
  • 603
  • 7
  • 30
VansFannel
  • 45,055
  • 107
  • 359
  • 626
  • 1
    You should be able to use the api controllers anonymously unless you have specified a `[Authorize]` attribute on the controller method / class. – scheien Jun 02 '15 at 07:15
  • I'm asking that because I have had problems with this configuration on an IIS 7. After I have disabled `` to ``, I have worked with `ApiControllers` without problems. – VansFannel Jun 02 '15 at 07:38
  • possible duplicate of [Allow anonymous to ASP.NET Web API controller while rest of the application runs under windows authentication](http://stackoverflow.com/questions/20835373/allow-anonymous-to-asp-net-web-api-controller-while-rest-of-the-application-runs) – scheien Jun 02 '15 at 07:45
  • If you're exposing your api in a particular URL, you can use the solution on the question of the previos comment: allow anonymous acces to a particular location in web.config. If that doesn't work for you, please, let me know. – JotaBe Jun 02 '15 at 07:57

1 Answers1

5

To do this for webapi you can use the below in your Web.Config

<location path="api">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
 </location>

This is saying that for the api controllers, allow any users (denoted by the ?). It might be worth changing that to be more specific if you wanted to do specific controllers.

It also assumes you deny access to all anonymous users and that your web.config authentication is like this

<system.web>   <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>  </system.web>

However if you want to allow it on the MVC Controllers you can utilise the [AllowAnonymous] attribute.

Related: Use Anonymous authentication in MVC4 on single controller when the whole application uses Windows Authenticaion

Disable Windows Authentication for WebAPI

Windows Authentication for ASP.NET MVC 4 - how it works, how to test it

Additional Reading:

Windows Authentication ASP.NET

Authorize Attribute MSDN

Anonymous Attribute MSDN

Community
  • 1
  • 1
JEV
  • 2,494
  • 4
  • 33
  • 47
  • The question asks how to configure anonymous access to Web API, not MVC. – JotaBe Jun 02 '15 at 08:13
  • It says with MVC, and the controller in question is an MVC Controller. I will update Answer regardless - you made me realise the config was missing. So i just updated it to have a ? instead of * and path of api – JEV Jun 02 '15 at 08:15
  • Perhaps it's not very clear, but let me quote the title: "allows anonymous app on ApiControllers" and some text from the body of the question: "How can I enable anonymous access to ApiControllers?" – JotaBe Jun 02 '15 at 08:19
  • You are correct, and if you want to reread my previous comment '...I will update Answer...' I have left the original information there as it may prove useful. – JEV Jun 02 '15 at 08:20
  • Don't take it amiss ;) I didn't mean to be rude, only to justify my comment. – JotaBe Jun 02 '15 at 08:21
  • It's ok - I read the first part and then brain ignored the last bit haha! – JEV Jun 02 '15 at 08:22
  • Thanks for your answer. In other words: I don't need Windows Authentication to access `ApiController`s but I need it on MVC's `Controller`s. – VansFannel Jun 02 '15 at 08:41
  • Correct, unless you are manually using the [Authorize] attribute. If you find your self facing 401's use the .config I posted – JEV Jun 02 '15 at 08:43
  • 1
    I have tested it your `web.config` modification and it works. It works also without `[AllowAnonymous]` on `ApiController`s. – VansFannel Jun 08 '15 at 08:29