The Wayback Machine - https://web.archive.org/web/20220202105644/https://github.com/dotnet/aspnetcore/issues/39930
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FallbackPolicy takes precedence over AuthorizeFilters added using Conventions #39930

Open
1 task done
moanrose opened this issue Feb 2, 2022 · 0 comments
Open
1 task done

FallbackPolicy takes precedence over AuthorizeFilters added using Conventions #39930

moanrose opened this issue Feb 2, 2022 · 0 comments
Labels
area-web-frameworks

Comments

@moanrose
Copy link

@moanrose moanrose commented Feb 2, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Security policies applied using the MvcOptions.Conventions does not apply if a FallbackPolicy is specified

I want to add a security policy for a controller using MvcOptions.Conventions, if no FallbackPolicy is specified the security policies are evaluated as expected. However if a FallbackPolicy is specified, only that applies.

Expected Behavior

I would expect the AuthorizeFilters added using Conventions to take precedence over the FallbackPolicy

Steps To Reproduce

The following code should be sufficient to reproduce the problem

using Microsoft.AspNetCore.Authentication.Negotiate;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.ApplicationModels;
using Microsoft.AspNetCore.Mvc.Authorization;

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers(options =>
{
    options.Conventions.Add(new AllowAnonymousConvention());
});
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();
builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("allowAnonymous", new AuthorizationPolicyBuilder()
        .RequireAssertion(_ => true)
        .Build());
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
        .RequireAssertion(_ => false)
        .Build();
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();

[ApiController]
[Route("[controller]")]
public class HelloWorldController : ControllerBase
{
    [HttpGet]
    public string Get()
    {
        return "Hello world";
    }
}

public class AllowAnonymousConvention : IControllerModelConvention
{
    public void Apply(ControllerModel controller)
    {
        if (controller.ControllerType.Equals(typeof(HelloWorldController)))
        {
            controller.Filters.Add(new AuthorizeFilter(new IAuthorizeData[]
            {
                new AuthorizeAttribute("allowAnonymous")
            }));
        }
    }
}

Exceptions (if any)

No response

.NET Version

6.0.101

Anything else?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-web-frameworks
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@moanrose @javiercn