I am currently working on a big security requirement. Part of that, I reported with certain detail on this blog the Asp.Net portion of it.
Turns out that I had some public endpoints to serve public documentation decorated with the AllowAnonymous attribute. So, how to allow a request to be executed and not validated by my permission framework if its endpoint has AllowAnonymous access?
Simple: we need to find a way to detect if the current request coming as an ActionExecutingContext parameter in my ActionFilterAttribute has the custom attribute AllowAnonymous.
Here's the code that does that elegantly:
So, there you have it. Once an unauthenticated request reaches your endpoint, the very first line of that method will avoid running your custom validation.
See Also
Security and development: how much is being done?Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Integrated security vulnerability alerts on GitHub - Why it matters
Why you should start using .Net Core
Package Management in .Net Core
Exporting Html to Pdf using only JavaScript
Importing CSVs with .Net Core and C#
Exporting a CSV generated in-memory in Asp.Net with C#
Building and Running Asp.Net Core apps on Linux
Asp.Net / Asp.Net Core: Generating views in the backend
Testing Javascript on Asp.Net Core Applications
For more security posts on this blog, please click here.