By default in my application, I have denied all users who are not in a particular active directory group, which works correctly.
Here is the snippet of the relevant part of my web.config.
<system.web>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<allow roles="domainXXX\GroupXXX" />
<deny users="*" />
</authorization>
<identity impersonate="true" />
<customErrors mode="RemoteOnly" defaultRedirect="~/Error">
<error statusCode="401" redirect="~/Error/Unauthorised" />
</customErrors>
</system.web>
Now I would like the actions in a single controller to be accessible without authorisation. I have tried to add the [AllowAnonymous] attribute to my controller, but I still must be logged in to access these actions. Is it not possible to mix these approaches? i.e. restrict role in web.config and allow anonymous users via the [AllowAnonymous] attribute in a controller?
I went with this. Instead of restricting the role globally in web.config, the
[AuthorizeAttribute]is now applied to all routes via inFilterConfig.cs. When added like this in code (and not in config) then the[AllowAnonymous]attribute seems to work as expected and allow authenticated access when it is annotated over a controller or action.FilterConfig.cs
This allows control at the controller level rather than having to hard code URIs. So the URI of a controller can change and the attribute will still work as expected. In this was configured in
web.config, you would have to remember to change the URI there.Blogged here: http://spencerooni.github.io/2015/07/12/authenticating-and-authorizing-users-from-active-directory-in-asp.net.html