MVC 5.0 [AllowAnonymous] and the new IAuthenticationFilter

Question

When I create a new asp.net mvc 4.0 application, one of the first thing I do, is create and set a custom authorize global filter like so:

Answer 1

I need to provide a clarification here to your second question:

Question 2) Why is the code inside my Index() method of my HomeController gets executed after the OnAuthentication? Only to realize that after I return View() do the code inside the OnAuthenticationChallenge() gets executed?

You should actually be testing for credentials in OnAuthentication if you want to prevent the user from executing the code in your action method. OnAuthenticationChallenge is your chance to handle the 401 with a custom result, such as redirecting the user to a custom controller/action and give them a chance to authenticate.

public class CustomAuthenticationAttribute : ActionFilterAttribute, IAuthenticationFilter 
{
    public void OnAuthentication(AuthenticationContext filterContext)
    {
            var user = filterContext.HttpContext.User;
        if (user == null || !user.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
    {
        // modify filterContext.Result to go somewhere special...if you do
        // nothing here they will just go to the site's default login
    }
}

Here is a more complete run-through of the filter and how you might work with it: http://jameschambers.com/2013/11/working-with-iauthenticationfilter-in-the-mvc-5-framework/

Cheers.