Anonymous Controller/Action within Authorized Site
-
29-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
Say I have an MVC .net core website where 100% of the controllers/methods are behind [Authorize] attributes (complete with policies and all). Would it be taboo, to carve out a set of un-authorized/anonymous controller/methods to handle user requests for access to the site. It seems perfectly reasonable to me, and outside of developer error, I can't see it introducing a new security risk.
Solução
No problem at all, in fact i would suggest approaching the problem the other way round. Authenticate all your actions by default, and use AllowAnonymous to permit access to your public actions. If you're worried about missing some you can use unit tests or static analysis to flag up unprotected actions.
