Apply AuthorizeAttribute to a controller class and to action simultaneously

Question

Is There one way to make a [Authorize] attibute be ignored in one action in a controller class that has a Authorize attribute?

        [Authorize]
        public class MyController : Controller
        {
           [Authorize(Users="?")]//I tried to do that and with "*", but unsuccessfuly,
           public ActionResult PublicMethod()
           {
           //some code
           }

           public ActionResult PrivateMethod()
           {
           //some code
           }
        }

Just the PrivateMethod() should have authentication required, but it has been required too.

PS: I wouldn't like to make my custom authorize filter.

[]'s

Are you trying to ignore the Authorize that is on class MyController for the action PublicMethod or PrivateMethod? — itsmatt, Aug 18 '11 at 20:45
It's to ignore for action PublicMethod. I wrote something wrong, I'm sorry, it's fixed now! — Adriano Zawadzki, Aug 20 '11 at 12:39

score 16 · Answer 1 · answered Apr 25 '13 at 09:11

You can use [AllowAnonymous]

 [Authorize]
 public class MyController : Controller
 {
     [AllowAnonymous]
     public ActionResult PublicMethod()
     {
           //some code
     }

     public ActionResult PrivateMethod()
     {
           //some code
     }
  }

score 4 · Accepted Answer · edited May 23 '17 at 12:09

4

By default it's impossible - if you set [Authorize] for controller then only authenticated user can access to action.

or

You can try custom decisions: stackoverflow.

edited May 23 '17 at 12:09

Community

1
1

answered Aug 18 '11 at 21:12

vladimir

13,428
2
44
70

score 3 · Answer 3 · edited May 03 '13 at 10:33

3

A solution is in this article: Securing your ASP.NET MVC 3 Application

The article talks about a white list approach where you decorate actions with a AllowAnonymous custom attribute. It requires that you extend AuthorizeAttribute and the OnAuthorization method to skip authorization checks of AllowAnonymous -actions. (The approach is credited to Levi, a security expert on the MVC team.)

edited May 03 '13 at 10:33

Sola Oderinde

1,046
2
22
30

answered Jul 19 '12 at 23:11

Omar

1,493
12
14

score 0 · Answer 4 · answered Mar 18 '17 at 15:17

0

    public class MyController : Controller
    {
       [Authorize] //it will only work for the following action
       public ActionResult PublicMethod()
       {
       //some code
       }

       public ActionResult PrivateMethod()  //[Authorize] will not work for this action
       {
       //some code
       }
    }

answered Mar 18 '17 at 15:17

imtiaj ahammad

31
5

Try adding some words to explain your answer. Answers of just code are normally less helpful. – Matt Mar 19 '17 at 00:19

score 0 · Answer 5 · answered Jan 28 '20 at 10:41

0

Just for future reference This is now available to be done by the the [AllowAnonymous] attribute in ASP.NET MVC 4.

More Info

answered Jan 28 '20 at 10:41

Salim

439
2
8

Apply AuthorizeAttribute to a controller class and to action simultaneously

5 Answers5

Linked