I have an MVC5 application that is throwing a NullReferenceException on the production server when using the [Authorize]
attribute on a controller. The application is using forms authentication.
The production server is Server 2008 SP 2 (.NET 4.5.1 and IIS 7).
The start of the stack trace is:
[NullReferenceException: Object reference not set to an instance of an object.]
System.Web.Mvc.AuthorizeAttribute.AuthorizeCore(HttpContextBase httpContext) +38
System.Web.Mvc.AuthorizeAttribute.OnAuthorization(AuthorizationContext filterContext) +293
System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) +155
I can fix it by setting
<modules runAllManagedModulesForAllRequests="true">
However, I prefer not to use such a sledgehammer method.
Is there a cleaner way of fixing this problem?
IIS and IIS Express have some differing behaviors for request authentication. The
HttpContext.User.Identity
property may not be set when theAuthorizeAttribute.AuthorizeCore()
method executes (hence theNullReferenceException
), due the fact that the authentication module does not always run.You could change the precondition for only the authentication modules you need instead of loading all modules for all requests. For example, the FormsAuthenticationModule has:
preCondition="managedHandler"
by default.