I have an MVC 3 site which is protected via Windows Authentication. However, there is a physical file at the root of the site, along with a controller action method (via a custom route), which need to be available without authenticating. What is the proper way to do this? I want the entire site protected without needing [Authorize] at the top of my controllers (or in a base controller class). On IIS 7, I have both Anonymous and Windows Authentication enabled at the site root.

Currently I have the following (applicable) sections in my Web.config:

<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

If I don't put [Authorize] at the top of my controllers, I am never prompted for credentials. Do I just need a <deny users="?"/> somewhere, or is there a better way to approach this from the start?

Thanks!

Authentication for controller actions must be handled by the [Authorize] attribute. The web.config settings only apply to physical files.

If you don't want to put the [Authorize] attribute on each controller, you could make a base controller class that includes the [Authorize] attribute. All controllers that inherit from this base controller class would automatically require authentication.

Personally, I don't find it that difficult to add the [Authorize] attribute manually to each controller and prefer the finer level of control.