Blocking anonymous access by default in ASP .NET 5

Question

My team and I are starting up a new website project in ASP .NET 5 and I'm trying to set up the basis of our user authentication and authorization policy.

So far, I've managed to use the [Authorize] and [AllowAnonymous] attributes to selectively define an authorization policy controllers or actions. The one thing I'm still struggling to achieve is defining a default authorization policy.

Bascially, I'd like every controller and action to behave as if they had an [Authorize] attribute by default, so that only actions specifically tagged as [AllowAnonymous] can be accessed by an anonymous user. Otherwise, we expect that, at some point, someone will forget to add an [Authorize] attribute to their controller and introduce vulnerabilities into the webapp.

It is my understanding that what I'm trying to do could be achieved in previous versions of ASP .NET by adding the following statement in FilterConfig.cs:

filters.Add(new AuthorizeAttribute());

... except that FilterConfig.cs no longer exists in MVC 6. According to How to register a global filter with mvc 6, asp.net 5 I can now access the global filters list using:

services.ConfigureMvc(options =>
{
   options.Filters.Add(new YouGlobalActionFilter());
}

... tried it, looks fine, but now it's the AuthorizeAttribute filter that I can't seem to find.

For experimenting purposes I've tried to handcraft an equivalent to the AuthorizeAttribute filter and came up with the following:

public class LoginFilter: AuthorizeFilter
{
    public LoginFilter(): base(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build())
    {

    }

    public override Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.AuthorizationContext context)
    {
        if(!context.HttpContext.User.Identity.IsAuthenticated && context.ActionDescriptor is ControllerActionDescriptor)
        {
            var action = context.ActionDescriptor as ControllerActionDescriptor;
            if(!AcceptAnonymous(action.ControllerTypeInfo) && !AcceptAnonymous(action.MethodInfo))
            {
                context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            }
        }
        return base.OnAuthorizationAsync(context);
    }

    private static bool AcceptAnonymous(ICustomAttributeProvider o)
    {
        return o.IsDefined(typeof(AllowAnonymousAttribute), true);
    }
}

This kinda works... I can add it to the global filters list, and it does reject queries coming from unauthenticated users unless the query is resolved to an action tagged [AllowsAnonymous].

However...

• the AuthorizationPolicyBuilder thingy is ugly and misleading: it does not serve any purpose and is apparently ignored during the whole processing. The only reason I added it is that AuthorizeFilter requires an AuthorizationPolicy in its constructor. I guess, but haven't tried yet, that directly implementing IAsyncAuthorizationFilter would solve this particular issue

• nothing in this code is specific to my webapp and the functionality was apparently provided in previous versions of the framework, so I'm willing to bet that there already is (or there will soon be) a component doing exactly the same thing, and I'd rather use a standard component from the framework than handcraft my own.

So, long story short, where has the AuthorizeAttribute filter gone? Or is there any functional equivalent I can use to make rejection of anonymous users the default behavior?

Answer 1

You can use Microsoft.AspNet.Mvc.AuthorizeFilter.

using Microsoft.AspNet.Mvc;
using Microsoft.AspNet.Authorization;

services.ConfigureMvc(options =>
{
   options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
});

If you need custom authorization requirements see this answer for more information.