17

I would like to use [Authorize] for every action in my admin controller except the Login action. 

[Authorize (Roles = "Administrator")]
public class AdminController : Controller
{
    // what can I place here to disable authorize?
    public ActionResult Login()
    {
        return View();
    }
}
mipe34
  • 5,372
  • 3
  • 25
  • 37
Todd Smith
  • 16,314
  • 11
  • 53
  • 76

4 Answers4

27

You can decorate your controller with [Authorize] and then you can just decorate the method that you want to exempt with [AllowAnonymous]

Ben Pretorius
  • 3,641
  • 2
  • 29
  • 28
14

I don't think you can do this with the standard Authorize attribute, but you could derive your own attribute from AuthorizeAttribute that takes a list of actions to allow and allows access to just those actions. You can look at the source for the AuthorizeAttribute at www.codeplex.com for ideas on how to do this. If you did, it might look like:

[AdminAuthorize (Roles = "Administrator", Exempt = "Login, Logout") ]
public class AdminController : Controller
{
    public ActionResult Login()
    {
        return View();
    }

    public ActionResult Login()
    {
        return View();
    }

    ... other, restricted actions ...
}

EDIT: FYI, I eventually ran across a need to do something similar on my own and I went a different direction. I created a default authorization filter provider and apply a global authorize filter. The authorization filter provider uses reflection to check if an action or controller has a specific authorize attribute applied and, if so, defers to it. Otherwise, it applies a default authorization filter. This is coupled with a PublicAttribute derived from AuthorizeAttribute that allows public access. Now, I get default secured access, but can grant public access via [Public] applied to an action or controller. More specific authorization can also be applied as necessary. See my blog at http://farm-fresh-code.blogspot.com/2011/04/default-authorization-filter-provider.html

tvanfosson
  • 490,224
  • 93
  • 683
  • 780
  • Looks like you're correct according to http://www.codeplex.com/aspnet/SourceControl/changeset/view/17272 I'm guessing the attribute gets applied at the controller level and never gives the action an attempt to evaluate it. – Todd Smith Nov 30 '08 at 23:13
  • Hmm apparently you can't link directly to the source file on codeplex. – Todd Smith Nov 30 '08 at 23:16
5

You could override the OnAuthorization method of the controller

    protected override void OnAuthorization(AuthorizationContext filterContext)
    {
        if ((string)(filterContext.RouteData.Values["action"]) == "Login")
        {
            filterContext.Cancel = true;
            filterContext.Result = Login();
        }
    }

This works but it is a hack.

Full class code used for testing:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;

namespace MvcApplication2.Controllers
{
[HandleError]
[Authorize]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewData["Title"] = "Home Page";
        ViewData["Message"] = "Welcome to ASP.NET MVC!";

        return View();
    }


    public ActionResult About()
    {
        ViewData["Title"] = "About Page";

        return View();
    }


    protected override void OnAuthorization(AuthorizationContext filterContext)
    {
        if ((string)(filterContext.RouteData.Values["action"]) == "Index")
        {
            filterContext.Cancel = true;
            filterContext.Result = Index();
        }
    }
}
}
MrJavaGuy
  • 676
  • 5
  • 8
  • Does this get called before or after the [Authorize] attribute? – Todd Smith Nov 30 '08 at 23:16
  • It looks like the [Authoirze] attribute is evaluated first and never gets to the OnAuthoirization method. – Todd Smith Nov 30 '08 at 23:20
  • Gets called every time for me. – MrJavaGuy Nov 30 '08 at 23:27
  • Looking again at your question, you should be able to use the line fliterContext.Result = View("Login"); as well – MrJavaGuy Nov 30 '08 at 23:31
  • 1
    OnAuthorization is getting called except when I have a [Authorize] attribute on the controller itself. – Todd Smith Nov 30 '08 at 23:48
  • Are you using the beta of the MVC or one of the previews? I have the [Authorize] attribute on the controller as well. – MrJavaGuy Nov 30 '08 at 23:53
  • I'm using the beta. Perhaps the difference is the roles [Authorize (Roles = "Administrator")] – Todd Smith Dec 01 '08 at 00:54
  • glad to know I am not crazy :) – MrJavaGuy Dec 01 '08 at 01:07
  • There is one catch with this approach, if you have two versions of your login, one for get and one for post and your methods are decorated with [AcceptVerbs(HttpVerbs.Get)] and [AcceptVerbs(HttpVerbs.Post)] then the OnAuthorization method gets a bit more complicated. – Todd Smith Dec 01 '08 at 01:11
  • only a little, use filterContext.HttpContext.Request.HttpMethod for the verb – MrJavaGuy Dec 01 '08 at 14:37
  • Note, that `Cancel` property of `AuthorizationContext` has been removed since RC1. http://stackoverflow.com/questions/505653/what-happened-to-filtercontext-cancel-asp-net-mvc/505679#505679 – mipe34 Feb 08 '13 at 11:12
1

May be it's not actual, but I wrote my custom attribute:

public class SelectableAuthorizeAttribute : AuthorizeAttribute
{
    public SelectableAuthorizeAttribute(params Type[] typesToExclude)
    {
        _typesToExlude = typesToExclude;
    }

    private readonly Type[] _typesToExlude;

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        bool skipAuthorization = _typesToExlude.Any(type => filterContext.ActionDescriptor.ControllerDescriptor.ControllerType == type);

        if (!skipAuthorization)
        {
            base.OnAuthorization(filterContext);
        }
    }
}

And then registered it in my global filetrs:

filters.Add(new SelectableAuthorizeAttribute(typeof(MyController)));

Hope that it will be useful for someone

Azat
  • 2,215
  • 1
  • 27
  • 31