Monday, December 4, 2017

Asp.Net - Allow anonymous requests on secure endpoints

I am currently working on a big security requirement. Part of that, I reported with certain detail on this blog the Asp.Net portion of it.

Turns out that I had some public endpoints to serve public documentation decorated with the AllowAnonymous attribute. So, how to allow a request to be executed and not validated by my permission framework if its endpoint has AllowAnonymous access?

Simple: we need to find a way to detect if the current request coming as an ActionExecutingContext parameter in my ActionFilterAttribute has the custom attribute AllowAnonymous.

Here's the code that does that elegantly:

So, there you have it. Once an unauthenticated request reaches your endpoint, the very first line of that method will avoid running your custom validation.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Integrated security vulnerability alerts on GitHub - Why it matters

Why you should start using .Net Core

Package Management in .Net Core
Exporting Html to Pdf using only JavaScript
Importing CSVs with .Net Core and C#
Exporting a CSV generated in-memory in Asp.Net with C#
Building and Running Asp.Net Core apps on Linux
Asp.Net / Asp.Net Core: Generating views in the backend
Testing Javascript on Asp.Net Core Applications

For more security posts on this blog, please click here.


Do you have any comment on one this post? Contact me @BrunoHilden