ASP.NET MVC Beta Authorize attribute sends me to wrong action

Today I started playing with the MVC 3 Beta. Started with an application from default MVC 3 template, added a new action in the Home controller as follows(with a view for it)

[Authorize]
public ActionResult Secured()
{
    ViewModel.Message = "This is secured area, only authenticated users should be her开发者_JS百科e.";
    return View();
}

Now when I try to go to navigate to Secured action I get a 404 page not found error.

Here is the authentication section from my web.config.

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

If I understood it right the Authorize attribute should result in a 401 unauthorized HTTP response which should be intercepted by the authentication handler and redirect me to the loginUrl. Which should result in Account/LogOn action.

My MVC 2 application works as expected and takes me to Account/LogOn action, am I missing something? or Is this a bug in MVC 3 beta?

It doesn't work with the RTM any more

You need to add

<add key="loginUrl" value="~/Account/LogOn" />

to the appSettings in the Web.Config

The issues is in ConfigUtil in WebMatrix.WebData

private static string GetLoginUrl()
{

    return ConfigurationManager.AppSettings[FormsAuthenticationSettings.LoginUrlKey] ?? FormsAuthenticationSettings.DefaultLoginUrl;
}



staticFormsAuthenticationSettings()
{
    LoginUrlKey = "loginUrl";
    DefaultLoginUrl = "~/Account/Login";
}

ScottGu replies to a similar question on his blog that this is apparently a bug.

The workaround is to add this entry:

<add key="autoFormsAuthentication" value="false" />

to your <appSettings/> section in the web application's root web.config file.

After I delete WebMatrix*.dll in bin directory, everything is OK.

MVC 4 exhibits the same problem. However on MVC 4 if authentication mode is correctly set to ="Forms" in the configuration file, like in the following, the problem disappears:

<authentication mode ="Forms">
    <forms loginurl = "your login" timeout ="2880" slidingExpiration="true">
</authentication>

It works for me. Take out the mode and it gives you trouble.