I am trying to require authentication to all of my controllers and whitelist only those which do not require authentication. The normal (non-ABP) way to do this is to apply a global filter, like GlobalFilters.Filters.Add(new AuthorizeAttribute()) - (see [https://blogs.msdn.microsoft.com/rickandy/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute/])). I don't want any particular authorisation rules here, just to ensure the user is logged in.
However, Abp provides its own AbpMvcAuthorizationAttribute, derived from the default MVC one. If I apply this to my controllers or base controller class (even in a default, untouched project), and then use [AllowAnonymous] on my AccountController, I get an infinite redirection to my login screen. Why is this? If I apply the default System.Web.AuthorizeAttribute, the problem doesn't exist, but the documentation ([http://www.aspnetboilerplate.com/Pages/Documents/Authorization])) indicates that this is correct usage. What am I doing wrong?
I delved into the source code for a bit, and it seems the AbpWebMvcModule applies a global AbpMvcAuthorizationFilter, which passes action methods/controllers with the [AbpAllowAnonymous] attribute, however the same infinite redirect issue occurs.
Can somebody shed some light on this? Perhaps the documentation need updating in light of the recent v1 release?
5 Answer(s)
-
0
See: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero-template/issues/56">https://github.com/aspnetboilerplate/mo ... /issues/56</a>
And: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero-template/pull/57">https://github.com/aspnetboilerplate/mo ... te/pull/57</a>
-
0
Thank you. At least I know its in in the pipeline for fixing. I should have also mentioned that the AbpScriptsManager does not have the AllowAnonymous attribute applied in any form, so its GetScripts action is never accessible if a global Authorize filter is applied. Same for the WebApi GetAll scripts action.
-
0
My work around for the problem, for anybody facing the same issue, was to apply the [AbpMvcAuthorize] attribute to manually to all controllers (except those I want to completely whitelist), and then the [AbpAllowAnonymous] attribute to actions I want to whitelist for public access. No applying global filters (AbpMvcAuthoizeFilter is already applied by AbpWebMvcModule), nor applying [Authorize] or [AbpMvcAuthorize] to the base controller class. They all resulted in infinite loops or inaccessible whitelisted methods.
-
0
I created an issue for that: <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1467">https://github.com/aspnetboilerplate/as ... ssues/1467</a> Please follow it. Thank you for reporting this. Have a nice day.
-
0
Resolved: <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1467">https://github.com/aspnetboilerplate/as ... ssues/1467</a>
