在stackoverflow查到一个和我一样的问题，贴过来

 http://stackoverflow.com/questions/14017595/web-api-anonymous-service-access-with-forms-authentication

I am trying to determine how to configure access to a Web API controller service under forms authentication. If I add authorization configuration to deny all anonymous users by adding the authorization element:

<authorization>
   <!-- Deny all anonymous users -->
   <deny users="?" />
</authorization>

Only the login page is accessible as expected. But I would also like access to a list returned from a controller. I added the [AllowAnonymous] attribute to a simple service that returns values used to populate a drop down menu. For example:

namespace WebAPI.Controllers {

public class RegisterController : ApiController {

[AllowAnonymous]

public List<ListElement> GetActivitiesList()

{ List<ListElement> li = new List<ListElement>(); li.Add(new ListElement() { Id = 1, Text = "Item 1" }); li.Add(new ListElement() { Id = 2, Text = "Item 2" }); li.Add(new ListElement() { Id = 3, Text = "Item 3" }); return li; } } }

I added the controllers directory to the allowed list in the web.config:

<location path="Controllers">
   <system.web>
   <authorization>
      <allow users="*" />
   </authorization>
   </system.web>
</location>

If I browse my sample page to invoke the controller, forms authentication still denies access with a 302 redirect to the login page, even if I add the [AllowAnonymous] attribute. If I remove the authorization element "<deny users="?" />" for the entire site, I can control access using the [Authorize] and [AllowAnonymous] attributes.

The objective is to be able to use specific services on a few pages (like registration) for anonymous users, while the rest of site access is restricted to authenticated users. Accessing a service is not exactly the same as accessing a file, so my guess is that I have to write a special handler for this situation, but I am not sure as to how to go about it.