0

I'm using ASP.NET Authorization to deny users access to my site before logging in, but this is also blocking the Register.cshtml page. How do I sort out my authorizations to allow this page through?

<system.web>
<authorization>
      <deny users="?" />
    </authorization>
  </system.web>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

  <location path="Register.cshtml">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
Improve this question
1

2 Answers 2

Reset to default
7

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

For action which require Anonymous access use AllowAnonymous attribute

   [AllowAnonymous]
   public ActionResult Register() {
      // This action can be accessed by unauthorized users
      return View("Register");   
   }

As per Reference,

You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Using these attributes, am I able to specify which roles are allowed to access certain pages?
@Neeta, yes you can there are ample material available to guide you like geekswithblogs.net/tyarmer/archive/2010/02/25/…
0

This is happening because you are denying everyone from application by using

<authorization>
      <deny users="?" />
    </authorization>

Above code will override all permission given to the folder

Good idea would be Deny user folderwise and keep Register/Login/Help/Contact pages at root level.

Improve this answer

2 Comments

Good advice except I don't think it's a good idea to mess up the folder structure just for authorization.
Agreed on this it will be a pain

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.