.Net Core Controllers Authorization Settings

Question

Recently we converted our application to .net core from .net framework. But after conversion, we found there is something about the controller authorization changed.

Before conversion, the actions can by default be accessed without authorization. that works like [AllowAnonymous] attribute although we did not manually set that attribute.

After conversion, the actions works like what it does with [Authorize] attribute. It needs authorization to access those controllers and actions without any authorization attribute.

Here my question is how I can set the default authorization back to [AllowAnonymous] instead of [Authorize]?

I think this maybe a version problem?

I expect that I can reset the actions and controllers without the authorization attribute to be [AllowAnonymous] authorization by default.

Answer 1

In core the [Authorize] attribute is used to control access at the class level or the function level. The [AllowAnonymous] attribute is used to "allow access by non-authenticated users to individual actions". So [AllowAnonymous] should be used at the function level in controllers decorated with [Authorize] at the class level. By default, a controller without an [Authorize] attribute should behave as if authorization is not required.

source: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-2.2

If it is indeed an issue with migrating .NET versions, I would probably start here: https://learn.microsoft.com/en-us/aspnet/core/migration/proper-to-2x/?view=aspnetcore-2.2