I don't think there's a simple way to achieve that, other than explicitly specifying the Authorize attribute explicitly on each controller action:
public class ProductController : Controller
{
#region Public Actions
[AllowAnonymous]
public ActionResult Search(string keyword...
[AllowAnonymous]
public ActionResult Details(string id...
#endregion
[Authorize]
public ActionResult AuthorizedDownload(long id, string step)
{
SecureDownloadLink link = SecureDownloadLink.Load(id);
if(link.belongsTo(HttpContext.Current.User.Identity.Name))
{
//Allow download
}
else
{
//Return 404 Error
}
}
[Authorize(Roles = "product_editor")]
public ActionResult SomeOtherAction()
{
...
}
}
or if you have many actions, another possibility is to move the action that differs in a separate controller.