Monday, December 4, 2017

ASP.NET - How to allow anonymous requests on secure endpoints

How to allow unauthenticated requests on authorized endpoints using ASP.NET? Let's take a look.
Photo by Philipp Katzenberger on Unsplash

In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:
  1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
  2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.
Let's see how we can write a custom RequirePermission attribute to solve that problem.

Writing a custom ActionFilter Attribute

Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

Using the Attribute

Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:


This was a quick post extending the previous discussion on how to implement custon action filters to have a better control over the requests agains our application. On this post I eexplained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

See Also

For more posts about Security on this blog, please click here.

About the Author

Bruno Hildenbrand      
Solutions Architect, Software Engineer and open-source enthusiast.
.NET, Azure, Go, Linux, Vim, Fedora, i3, Development and Architecture.