I am trying to require authentication to all of my controllers and whitelist only those which do not require authentication. The normal (non-ABP) way to do this is to apply a global filter, like GlobalFilters.Filters.Add(new AuthorizeAttribute()) - (see [https://blogs.msdn.microsoft.com/rickandy/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute/])). I don't want any particular authorisation rules here, just to ensure the user is logged in.
However, Abp provides its own AbpMvcAuthorizationAttribute, derived from the default MVC one. If I apply this to my controllers or base controller class (even in a default, untouched project), and then use [AllowAnonymous] on my AccountController, I get an infinite redirection to my login screen. Why is this? If I apply the default System.Web.AuthorizeAttribute, the problem doesn't exist, but the documentation ([http://www.aspnetboilerplate.com/Pages/Documents/Authorization])) indicates that this is correct usage. What am I doing wrong?
I delved into the source code for a bit, and it seems the AbpWebMvcModule applies a global AbpMvcAuthorizationFilter, which passes action methods/controllers with the [AbpAllowAnonymous] attribute, however the same infinite redirect issue occurs.
Can somebody shed some light on this? Perhaps the documentation need updating in light of the recent v1 release?
