Exclude specific path from WIF authorization in a ASP.NET MVC 4 project

thmshd picture thmshd · Nov 8, 2012 · Viewed 9.6k times · Source

We have successfully configured windows identity foundation (WIF) in our ASP.NET 4.5 MVC 4 project with the help of the Identity and Access... extension for Visual Studio 2012. But are unable to exclude a specific path from authorization to allow anonymous access.

When we access our default route (i.e. /Home), the passive redirection will redirect us to the configured issuer Uri. This is currect. But now assume we want to exclude Path /Guest from STS Authentication so that everybody can access http://ourhost/Guest without beeing routed to the STS issuer. Only static documents are located there.

Snippets from Web.config:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="http://ourhost/" />
    </audienceUris>
    <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
      <trustedIssuers>
        <add thumbprint="9B74****40D0" name="OurSTS" />
      </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="http://oursts/Issue" realm="http://ourhost/" reply="http://ourhost/" requireHttps="false" />
  </federationConfiguration>
</system.identityModel.services>

Further we have...

<system.webServer>
  <!-- ... -->
  <modules runAllManagedModulesForAllRequests="true">
    <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <remove name="FormsAuthentication" />
  </modules>
</system.webServer>

and finally:

<system.web>
  <!-- ... -->
  <authentication mode="None" />
</system.web>

We tried the following without success:

<location path="~/Guest"> <!-- also "/Guest" is not working -->
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

We also tried to put a small Web.config file into this folder, without success. No matter which Uri we locate to in the browser, we're always redirected.

What is the proper way to accomplish this?

EDIT

Removed the previous "accepted answered", set "accepted answer" to Eugenios answer as this is the more useful reply.

Answer

Eugenio Pace picture Eugenio Pace · Nov 8, 2012

In an MVC app you typically define access through the [Authorize] attribute in controllers and actions.

Just remove from web.config:

<system.web>
     <authorization>
        <deny users="?" />
      </authorization>

Note: this is usually added automatically by the "Add STS Reference" wizard in VS2010

It seems that the behaviour is exactly the same on VS2012 and the new tools. I just created a brand new MVC4 app. Ran the "Identity and Access..." tool with a local config STS (left all defaults).

It did add this fragment to the web.config:

<authorization>
  <deny users="?" />
</authorization>

I removed it and added [Authorize] to the About controller action:

[Authorize]
public ActionResult About()
{
    ViewBag.Message = "Your app description page.";

    return View();
}

When I click on the "About" link, then I get redirected to the STS. Everything else works with anonymous access.

Note:

You have some control on this too in the wizard (see the "Configuration" page of the wizard).