Monday, December 4, 2017

ASP.NET - How to allow anonymous requests on secure endpoints

How to allow unauthenticated requests on authorized endpoints using ASP.NET? Let's take a look.
Photo by Philipp Katzenberger on Unsplash

In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:
  1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
  2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.
Let's see how we can write a custom RequirePermission attribute to solve that problem.

Writing a custom ActionFilter Attribute

Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

Using the Attribute

Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:


This was a quick post extending the previous discussion on how to implement custom action filters to have a better control over the requests agains our application. On this post I explained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

See Also

About the Author

Bruno Hildenbrand