ASP MVC Authorize all actions except a few

I have a controller and I would like to require Authorization for all actions by default except a couple. So in the example below all actions should require authentication except the Index. I don't want to decorate every action with the Authorize, I just want to override the default authorization in certain circumstances probably with a custom filter such as NotAuthorize.

public class HomeController : BaseController
    public ActionResult Index()
        // This one wont
        return View();

    public ActionResult About()
        // This action will require authorization
        return View();


Ok, this is what I did. If there is a better way let me know.

public class NotAuthorizeAttribute : FilterAttribute
    // Does nothing, just used for decoration

public class BaseController : Controller
    protected override void OnActionExecuting(ActionExecutingContext filterContext)
        // Check if this action has NotAuthorizeAttribute
        object[] attributes = filterContext.ActionDescriptor.GetCustomAttributes(true);
        if (attributes.Any(a => a is NotAuthorizeAttribute)) return;

        // Must login
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            filterContext.Result = new HttpUnauthorizedResult();

What about [AllowAnonymous] ??

MVC4 has a new attribute exactly meant for this [AllowAnonymous] (as pointed out by Enrico)

public ActionResult Register()

Read all about it here:

Here's what I would do, similar to Craig's answer with a couple of changes:

1) Create an ordinary attribute deriving from System.Attribute (no need to derive from FilterAttribute since you aren't going to be using anything FilterAttribute provides).

Maybe create a class hierarchy of attributes so you can test based on the hierarchy, e.g.


2) In your BaseController override the OnAuthorization method rather than the OnActionExecuting method:

protected override void OnAuthorization(AuthorizationContext filterContext)
    var authorizationAttributes = filterContext.ActionDescriptor.GetCustomAttributes(true).OfType<AuthorizationAttribute>();
    bool accountRequired = !authorizationAttributes.Any(aa => aa is AuthorizationNotRequiredAttribute);

I like the approach of being secure by default: even if you forget to put an attribute on the Action it will at least require a user to be logged in.

Use a custom filter as described in Securing your ASP.NET MVC 3 Application.

Mark the controller with [Authorize]

[Authorize] public class YourController : ApiController

Mark actions you want public with :


Little late to the party, but I ended up creating a Controller-level auth attribute and an Action-level auth attribute and just skipping over the Controller auth if the Action had its own Auth attribute. See code here:

Need Your Help

Getting WP Tinymce's Content

javascript wordpress tinymce wysiwyg

I'm trying to write a Wordpress plugin. I will get counts words which in WP's Tinymce editor.