How to exclude one controller action from authorize filter in ASP.NET MVC 3?

4
votes

In ASP.NET MVC 3 I can put AuthorizeAttribute inside Global.asax's RegisterGlobalFilters, and it will apply to all controllers' actions. But how can I exclude some controller actions so these actions can be called without the user logging in?

EDIT:

Sorry, additional question, if I add authorize on the class, how can I exclude one action?

1
asp.net-mvc
This guy describes exactly what your looking for with very little code and step by step explanation.. Introducing a global Authorization Filter and an AllowAnonymousAttribute blog.tomasjansson.com/2011/08/… - Renato H.
This post describe a way how to exclude arbitrary filters (see question, not answer). I am not aware of ASP.NET MVC 3 but it seems plausible. - Jakub Šturc
Implemented my own custom filter. Please see my post here it it will be useful for you: stackoverflow.com/a/11554471/188862 - Azat

1 Answers

9
votes

You can't do this with global filters. As their name indicates => they are global.

One way is to have all controllers that require authorization derive from a common base controller decorated with the [Authorize] attribute. Controllers that doesn't require authorization will not derive from this base controller.

Another possibility in ASP.NET MVC 3 is to write a custom IFilterProvider which based on the context will apply or not the given filters. I would recommend you reading the following blog post.