I was working on an MVC 4.0 web application that contained some WebAPI controllers. The requirement was to secure the site using Windows Authentication. However, only the web pages required security but, the Api controllers did not. I changed the web.config and IIS 7.5 to provide Windows Authentication. I then added an authorize attribute to my MVC controllers like “[Authorize(Roles = “FooWebUsers”)]”. Since, the WebAPI controllers did not need security I added the [AllowAnonymous] attribute to those controllers.
I tested the site and discovered the MVC Controllers were properly secured, prompting a login – ok good. Hit one of the API routes in fiddler and got a NT challenge and response or prompt for Login. What’s going on here? I added [AllowAnonymous] to the API controllers – not working. After much digging around I found what I wanted by implementing a custom Authorization attribute. Here’s the steps I went through to implement this.
In order to implement Windows Authentication you will need to change the authentication mode in the sites Web.config file to “Windows” like below:
<compilation debug="false" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
Next, IIS 7.5 requires a few changes as well. Within IIS Manager, click your site then in the right pane click the “Authentication” icon located in the “IIS” section. Set “Windows Authentication” to Enabled and set “Anonymous Authentication” to Enabled. Here’s what the authentication should look like:
Now, you have IIS and the web.config setup the rest of this post will explain the various pieces of code to be implemented.
public class ApiAuthorizeSkip : AuthorizeAttribute
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
if (!(actionContext.ControllerContext.Controller is APIController1 ||
actionContext.ControllerContext.Controller is APIController2))
You can add a wide range of custom logic in this method, check users in role, whether a controller inherits from foobase Controller etc..
Next, you will need to modify the Global.asax file making it aware that your app is to use this new custom authorization. Add code shown below to the Application_OnStart():
protected void Application_Start()
var container = ObjectFactory.Container;
Notice: The class name provided to the Filters.Add method in the highlighted code above matches the name of the custom authorization class I created.