I have a ASP.NET MVC site that is locked down using Forms Authentication. The web.config has

<authentication mode="Forms">
    <forms defaultUrl="~/Account/LogOn" loginUrl="~/Account/LogOn" timeout="2880"/>
    <deny users="?"/>


None of my pages other than Account/LogOn can be viewed unless the user is authenticated.

Now I am trying to add PayPal IPN to my site and in order to do that I need to have two pages that handle PayPal's payment confirmation and thank you page. These two pages need to be available for anonymous users.


I would like these pages to be controller actions off my Account controller. Is there any way I can apply an attribute to specific action methods that make them available to anonymous users? I found a several posts here that attempt to do that but there was most people wanted the opposite scenario.

Basically I want may AccountController class to have no authorization for most of the methods except for a few. Right now it looks like only the LogOn method is available to anonymous users.


Yes you can. In your AccountController there's an [Authorize]-attribute either on class-level (to make the whole controller restricted) or on specific methods.

To make specific actions restricted you simply use the Authorize-attribute on the methods that handle these actions, and leave the controller-class unrestricted.


Here are a few examples... hope it helps


To require users to login, use:

public class SomeController : Controller

// Or
public ActionResult SomeAction()


To restrict access for specific roles, use:

[Authorize(Roles = "Admin, User")]
public class SomeController : Controller

// Or
[Authorize(Roles = "Admin, User")]
public ActionResult SomeAction()


And to restrict access for specific users, use:

[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller

// Or
[Authorize(Users = "Charles, Linus")]
public ActionResult SomeAction()


As you can see, you can either use the attribute at class-level or at method-level. Your choice!

