Develop Reference

asp mvc web api return 401 unauthorized

At first I'm beginner in asp. Start by asp.net tutorial to write a web api.
after the tutorial finished (I did not add any other code) when I try to test the Api it return me unautherize 401.
I found the below line in my Web.config
<authentication mode="None" />
and in WebApiCOnfig.cs
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
how can I access to my API without authentication? it's a simple test and no need to any authentication

use [AllowAnonymous] attribute on intended controller for all actions on that cotroller
[AllowAnonymous] // Applies to all ations
public class MyController : ApiController {
public IHttpActionResult MyAction1() {
//...
}
public IHttpActionResult MyAction2() {
//...
}
}
or only on the intended action
public class MyController : ApiController {
[AllowAnonymous] // Applies to only this ation
public IHttpActionResult MyAction() {
//...
}
//Still secure
public IHttpActionResult MyAction2() {
//...
}
}
When done testing you can remove them.

AllowAnonymous attribute make Authorize ignored

I've a admin dashboard project that need global authorization and I set it up on
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
That code make all my controller is being authorize.. And there is a controller that has [AllowAnonymous] attribute.. However I've sudden change request that an action on this controller need to be authorize..
[AllowAnonymous]
public class AuthController : Controller
{
[Authorize(Roles = "Admin")]
public ActionResult BumbaSection()
{
return View();
}
}
This is not working, I still can access this BumbaSection action.. Any idea?
Thanks

After I peek the authorize code, This part of code make the authorize not working :
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
//code here
if (filterContext.ActionDescriptor.IsDefined(typeof (AllowAnonymousAttribute), true) || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof (AllowAnonymousAttribute), true))
return;
//code here
}
Override this piece of code in authorize attribute class and my code is start working.. Maybe this will usefull for who that have some problem with me

How do I enable ssl for all controllers in mvc application

I have a MVC 5 app and I installed the ssl certificate and I'm now connecting with https, but in my code I had to set the '[requirehttps]' attribute on the homecontroller like so:
[RequireHttps]
public class HomeController : Controller
{}
Isn't there a way to set it for the whole application so I don't have to do this for each and every controller I have in the app?

Use the RegisterGlobalFilters method in your FiltersConfig.
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new RequireHttpsAttribute());
}
}

The [RequireHttps] attribute is inherited, so you could create a base controller, apply the attribute to that, and then derive all your controllers from that base.
[RequireHttps]
public abstract class BaseController : Controller
{}
public class HomeController : BaseController
{}
public class FooController : BaseController
{}

Is it possible to decorate a class or action to ignore a global attribute such as AuthorizeAttribute?

I am using MVC3, ASP.NET4.5, C# and Razor.
I would like to set an attribute globably ie AuthorizeAttribute. However I need to ensure that some classes and/or actions ignore this global setting. Is it possible to decorate a class and/or action to ensure this, and if so how?
Many thanks.

You can use the [AllowAnonymous] attribute (which is the default in ASP.NET MVC) to override your [Authorize] attribute
Assuming you have added your customized authorization logic to the default FilterConfig class:
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new MyCustomAuthorizationAttribute());
}
}
You can override that setting by decorating your controllers/action methods with [AllowAnonymous]:
// To allow anonymous access to all action methods
[AllowAnonymous]
public class MyController : Controller
{
// Only allow the Index action method to be called anonymously
[AllowAnonymous]
public ActionResult Index()
{
}
}

asp.net MVC antiforgerytoken on exception RedirectToAction

I have implimented the AnitforgeryToken with my asp.net MVC forms, and also added the attribute to my login procedure, however when the check failes i wish to redirect to my fraud action rather than an exception page. is this possible within the attribute ????
thanks

In case you do not want to put [HandleError] attribute on all actions that have [ValidateAntiForgeryToken], you may add a custom filter to your Global filters:
in Global.asax under Application_Start():
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
and then:
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AntiForgeryTokenFilter());
}
}
AntiForgeryTokenFilter.cs:
public class AntiForgeryTokenFilter : FilterAttribute, IExceptionFilter
{
public void OnException(ExceptionContext filterContext)
{
if(filterContext.Exception.GetType() == typeof(HttpAntiForgeryException))
{
filterContext.Result = new RedirectResult("/"); // whatever the url that you want to redirect to
filterContext.ExceptionHandled = true;
}
}
}

The ValidateAntiForgeryTokenAttribute will just throw HttpAntiForgeryException. You could use the HandleErrorAttribute to handle this scenario:
[HandleError(
ExceptionType = typeof(HttpAntiForgeryException),
View = "Unauthorized")]
[ValidateAntiForgeryToken]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult SomeActionThatRequiresToken()
{
return View();
}