Reputation: 1706
Why is my authorization fallback policy overriding AllowAnonymous
I added a fallback policy to my asp.net core application because I wanted to require a specific role as the fallback instead of just blanket authorization.
However, now pages that have the AllowAnonymous attribute are using my fallback policy, which seems to directly contradict documentation. Microsoft docs say that the fallback policy is for pages without any authorize or AllowAnonymous attribute.
For example, Razor Pages, controllers, or action methods with
[AllowAnonymous]or[Authorize(PolicyName="MyPolicy")]use the applied authentication attribute rather than the fallback authentication policy.
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/secure-data?view=aspnetcore-6.0
I'm wondering if perhaps my configuration in Startup is wrong, but searching I've found nothing similar to my issue.
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddDbContext<MyDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("MyDbContext")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddDefaultTokenProviders()
.AddEntityFrameworkStores<MyDbContext>();
services.AddScoped<MySharedService>();
services.ConfigureApplicationCookie(options =>
{
options.LoginPath = $"/Identity/Account/Login";
options.LogoutPath = $"/Identity/Account/Logout";
options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
});
services.AddAuthorization(options =>
{
options.AddPolicy("IsSystemAdmin", policy => policy.RequireRole("SystemAdmin"));
options.FallbackPolicy = options.GetPolicy("IsSystemAdmin");
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
});
}
Upvotes: 3
Views: 2811
Answers (1)
Reputation: 1706
Because I was adding a "static" page for the privacy policy, I unintentionally removed the line
@model PrivacyPolicyModel from PrivacyPolicy.cshtml.
Therefore the page model at PrivacyPolicy.cshtml.cs was skipped entirely, and any Authorize or AllowAnonymous attribute was not applied.
One of those bugs I can't believe I wasted so many hours on... Hopefully this helps someone in the future.
Upvotes: 3
Related Questions
- 403 on Succeed AuthorizationHandler aspnetcore
- ASP.NET Core policy-based authentication not working
- Policy based Authorization not working in asp.net core
- ASP.NET Core 2.2 MVC passing argument to authorization policy
- ASP.NET 5 Policy-Based Authorization Handle Not Being Called
- ASP.NET Core Authorization Policies: Can't step into the handler?
- Custom Policy-Based Authorization with asp.net Core, Problems with the View
- AllowAnonymous attribute make Authorize ignored
- Asp.Net Core policy based authorization ends with 401 Unauthorized
- Conditional AllowAnonymous