Monday, December 4, 2017

Asp.Net - Allow anonymous requests on secure endpoints


I am currently working on a big security requirement. Part of that, I reported with certain detail on this blog the Asp.Net portion of it.

Turns out that I had some public endpoints to serve public documentation decorated with the AllowAnonymous attribute. So, how to allow a request to be executed and not validated by my permission framework if its endpoint has AllowAnonymous access?

Simple: we need to find a way to detect if the current request coming as an ActionExecutingContext parameter in my ActionFilterAttribute has the custom attribute AllowAnonymous.

Here's the code that does that elegantly:



So, there you have it. Once an unauthenticated request reaches your endpoint, the very first line of that method will avoid running your custom validation.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Integrated security vulnerability alerts on GitHub - Why it matters



Why you should start using .Net Core

Package Management in .Net Core
Exporting Html to Pdf using only JavaScript
Importing CSVs with .Net Core and C#
Exporting a CSV generated in-memory in Asp.Net with C#
Building and Running Asp.Net Core apps on Linux
Asp.Net / Asp.Net Core: Generating views in the backend
Testing Javascript on Asp.Net Core Applications

 
For more security posts on this blog, please click here.
 

References


https://stackoverflow.com/questions/13595723/allowanonymous-not-working-with-custom-authorizationattribute