I am trying to create a "heartbeat" page on my ASP.NET MVC 4 system, so we can check on an automated basis that everything is working OK. All it's going to do is run a simple query on the DB and make sure no exception is thrown, in which case it'll return Json "success", otherwise it'll return the exception message.
The rest of the system is protected by Forms authentication:
<authentication mode="Forms">
<forms name=".ADAuthCookie2" loginUrl="~/Account/Login" timeout="60" slidingExpiration="true" />
</authentication>
...
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
But obviously I don't want to force authentication for a heartbeat check. So I've created a HeartBeatController, and tagged both the controller and the Index() method with [AllowAnonymous] - but still, when I try to access the /HeartBeat url, I get redirected to the login page.
What am I missing?
You'll have to remove the
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
as I believe the AllowAnonymous attribute won't override that.
UPDATE
You'll have to add an Authorize attribute to the controllers, or as the following article mentions, you can set it in GlobalFilters