My work around for the problem, for anybody facing the same issue, was to apply the [AbpMvcAuthorize] attribute to manually to all controllers (except those I want to completely whitelist), and then the [AbpAllowAnonymous] attribute to actions I want to whitelist for public access. No applying global filters (AbpMvcAuthoizeFilter is already applied by AbpWebMvcModule), nor applying [Authorize] or [AbpMvcAuthorize] to the base controller class. They all resulted in infinite loops or inaccessible whitelisted methods.
Thank you. At least I know its in in the pipeline for fixing. I should have also mentioned that the AbpScriptsManager does not have the AllowAnonymous attribute applied in any form, so its GetScripts action is never accessible if a global Authorize filter is applied. Same for the WebApi GetAll scripts action.
I am trying to require authentication to all of my controllers and whitelist only those which do not require authentication. The normal (non-ABP) way to do this is to apply a global filter, like GlobalFilters.Filters.Add(new AuthorizeAttribute()) - (see [https://blogs.msdn.microsoft.com/rickandy/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute/])). I don't want any particular authorisation rules here, just to ensure the user is logged in.
However, Abp provides its own AbpMvcAuthorizationAttribute, derived from the default MVC one. If I apply this to my controllers or base controller class (even in a default, untouched project), and then use [AllowAnonymous] on my AccountController, I get an infinite redirection to my login screen. Why is this? If I apply the default System.Web.AuthorizeAttribute, the problem doesn't exist, but the documentation ([http://www.aspnetboilerplate.com/Pages/Documents/Authorization])) indicates that this is correct usage. What am I doing wrong?
I delved into the source code for a bit, and it seems the AbpWebMvcModule applies a global AbpMvcAuthorizationFilter, which passes action methods/controllers with the [AbpAllowAnonymous] attribute, however the same infinite redirect issue occurs.
Can somebody shed some light on this? Perhaps the documentation need updating in light of the recent v1 release?