Allow Anonymous Access to ForgotPassword Page - asp.net-mvc

I have a link to /ForgotPassword on my Login page. When it's clicked, I'm just redirected to /Login?ReturnUrl=%2fForgotPassword. This is an MVC5 app using Form-based authentication. I'm attempting to use AllowAnonymous, but it isn't working.
Web Config:
<location path=".">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<authentication mode="Forms">
<forms loginUrl="~/Login" timeout="15"/>
</authentication>
ForgotPassword Controller:
[AllowAnonymous]
public class ForgotPasswordController : Controller
{
[AllowAnonymous]
public ActionResult Index()
{
return View();
}
}
No such luck. Aside from a _ViewStart, I can't find anything that is being used that should be decorated with AllowAnonymous.
What I'm a missing here? Thanks!

don't use authorization tags in we.config, use only authorization attributes in controllers and actions.
authorization tags in web.config are useful to allow/restrict Access to files and it Works well with web forms and static content.
But in MVC there is routes which is mapped to controllers and actions, and you may have different actions in the same controller with different authorization tags, e.g.: you can use [Authorize] for the whole controller, and allow only one action for anonymouse users by using [AllowAnonymous] attribute to the desired action only.
read more here: https://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-global-authentication-and-allow-anonymous

Related

Swap between MVC routing and Durandal routing

Long story short: We're trying to set up Durandal SPA in our pre-existing ASP.NET MVC website. What's we're going for is the ability to hide the SPA behind a feature flag, to where we can enable the SPA flag and have our website adjust accordingly.
We have that portion of it working. However, what we had to do is prefix all of our routes with "/app#" and then tack on the controller/action. For example, "Index" would become "app#Index" in the URL. Durandal routing works just fine with this approach - it pulls the necessary views into place.
What we would like is to use the same routes instead of prefixing each one with "app#" - essentially use Durandal routing when the SPA flag is enabled, otherwise use normal MVC routing, but keep the routes the same.
Any suggestions?
If you know about modules requires convention of the Durandal, will be very simple to understand, you just need to insert this configuration in the Web.config:
Web.config
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
<add name="HtmlFileToMvcHandler" path="App/views/*/*.html" verb="GET" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
Observe that i created the handler "HtmlFileToMvcHandler" with this pattern "App/views/*/*.html" i used that pattern because my CRUD convention, and with this i told to the MVC handler that all of the requests that comes with this pattern will be handled. But now you need handle the requests that will came. So you can use the RouteAttribute like this:
[Route("App/View/Home/index.html")]
public ActionResult Index()
{
return View();
}
or map that route in the route config like this:
routes.MapRoute("Name",
"App/views/{controller}/{action}.html");
My english will be better in the next time XD

MVC4 [Authorize] Attribute, change where it redirects when a user is not logged in

I am using [Authorize] tags to ensure a user is logged in before viewing a controller or action. However, it redirects to :
Account/Login?ReturnUrl=%2f_internal%2fHome%2f
and I would like to change this to redirect to /Account/Account/Login (to include the area), but I can't seem to find where I can go to change this link?
If you are using Forms Authentication you can edit the URL in the web.config file in the root of your application. The section will look something like the following.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
</system.web>
Change the loginUrl attribute and you are good to go :)

prevent Authentification for specific route

I have a MVC Webapplication. It uses Forms auhtentification.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="90" />
</authentication>
How can i bypass this for a single route, like xyz.com/us/ht/ht?
I want to bypass the whole functionality to prevent getting aspxanonymous cookies and i dont want entries in the membership db for this route.
If you are using MVC4 just add the [AllowAnonymous] tag to your controller action.
Otherwise do it in your web.config like this
<configuration>
<location path="route/thatanon/isallowed">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
One way to solve this is to use a custom AnonymousIdentificationModule for the route /us/ht/ht/.
The stuff is handled here ->
System.Web.Security.AnonymousIdetificationModule

Login page in MVC3 application - Login function can't be found

I am trying to create my own form-authentication view in MVC application, but my site appear not to find the Login function.
I first tried to create a regulr view, and call the function using ajax, but it didn't work, so I tried to use form and submit as following:
<form method="post" action="~/Login/Login_btnClick">
<input type="submit" name="Login" value="Login" />
of course I also declared in the web config it's form authentication, and set the login page to be the link:
<authentication mode="Forms">
<forms loginUrl="~/Login/Login" defaultUrl="~/Home/index" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
I also used locations so my javascripts and css files will be found. As I got the
Failed to load resource: the server responded with a status of 400 (Bad Request)
error, I tried to add also the Controllers folder to locations:
<location path="Controllers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
But it still got me the same error....
Any idea what might solve my problem ?
Thanks
You should create a corresponding controller action that will handle the form submission. So for example if you have the following form:
<form method="post" action="/Login/LogOn">
<input type="submit" name="Login" value="Login" />
</form>
then you should create a LogOn action on your Login controller:
[HttpPost]
public ActionResult LogOn()
{
...
}
Also the snippet you have shown from your web.config in which you are disabling access to the Controllers folder is absolutely unnecessary. In ASP.NET MVC controllers are compiled and when you deploy your application such folder doesn't exist at all.
In addition to that authorization in ASP.NET MVC is controlled with the [Authorize] attribute, not in web.config using the <authorization> tag. So for example if you want to protect a certain controller action from being accessible only to authenticated users you simply decorate it with this attribute:
[Authorize]
public ActionResult Index()
{
...
}
Here are some tutorials on the ASP.NET MVC site which illustrate how you could implement authentication and authorization in an MVC application.
Also when you create a new ASP.NET MVC 3 application using the Internet Template there's already an AccountController created for you as well as the corresponding views. You could play with this out-of-the-box template to better understand the concepts.
Thanks, I got the solution....
I should have done 2 things:
1. Change the
<deny users="?" />
to:
<allow users="?" />
change in my form the action so it should be: #Url.Action("MyLoginFunc", "MyLoginController")

Can the MvcSiteMap work like the one in WebForms

In webforms if a path is not accesable for a certain user, it will be hidden, can this be done with the MvcSiteMap?
https://github.com/maartenba/MvcSiteMapProvider
In Webforms all you need todo is
<location path="SomePath">
<system.web>
<authorization>
<allow roles="SomeRole" />
<deny users="*" />
</authorization>
</system.web>
</location>
If you do not belong to the SomeRole the menu item will be hidden, possible in MvcSiteMap?
In ASP.NET the recommended way to define authorization is to use the AuthorizeAttribute.
The AuthorizeAttribute is fully supported by MvcSiteMapProvider when securityTrimming is enabled. See Registering the provider.
I know this is an old post but just in case someone else happens upon it, you can explicitly achieve what you are looking for by adding the roles attribute to your mvc.sitemap file where you register the nodes. Anyone not belonging to the role will not be able to see the node with that attribute.
<mvcSiteMapNode title="TheMenuOption" clickable="false" roles="someRole">

Resources