Monday, December 4, 2017

ASP.NET - Allowing unauthenticated requests on secure endpoints

How do we allow unauthenticated requests be executed against Authorized endpoints on ASP.NET? Let's take a look.

In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:
  1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
  2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.
Let's see how we can write a custom RequirePermission attribute to solve that problem.

Writing a custom ActionFilter Attribute

Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

Using the Attribute

Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:


This was a quick post extending the previous discussion on how to implement custon action filters to have a better control over the requests agains our application. On this post I eexplained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

See Also

For more posts about Security on this blog, please click here.
Any comment about this page? Please reach out on Twitter