ASP MVC Authorize all actions except a few

Question

I have a controller and I would like to require Authorization for all actions by default except a couple. So in the example below all actions should require authentication e

Answer 1

Mark the controller with [Authorize]

[Authorize] public class YourController : ApiController

Mark actions you want public with :

[AllowAnonymous]

Answer 2

Little late to the party, but I ended up creating a Controller-level auth attribute and an Action-level auth attribute and just skipping over the Controller auth if the Action had its own Auth attribute. See code here:

https://gist.github.com/948822

Answer 3

MVC4 has a new attribute exactly meant for this [AllowAnonymous] (as pointed out by Enrico)

[AllowAnonymous]
public ActionResult Register()

Read all about it here:

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

Answer 4

Use a custom filter as described in Securing your ASP.NET MVC 3 Application.

Answer 5

Ok, this is what I did. If there is a better way let me know.

public class NotAuthorizeAttribute : FilterAttribute
{
    // Does nothing, just used for decoration
}

public class BaseController : Controller
{
    protected override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        // Check if this action has NotAuthorizeAttribute
        object[] attributes = filterContext.ActionDescriptor.GetCustomAttributes(true);
        if (attributes.Any(a => a is NotAuthorizeAttribute)) return;

        // Must login
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }
}

Answer 6

What about [AllowAnonymous] ??