英文:
Authorize and AllowAnonymous meta data give different behaviour when they are applied on the controller
问题
当我应用这段代码时,对控制器方法使用Authorize并在其中的一个操作方法上使用AllowAnonymous,那么除了具有AllowAnonymous元数据的方法之外,所有操作方法都将被授权。显然,操作方法的元数据正在覆盖控制器方法的元数据。
但是,当我尝试在控制器方法上使用[AllowAnonymous],并在操作方法上使用[Authorize]元数据时,具有[Authorize]的操作方法将不会被授权。
为什么行为不同?
英文:
When i apply this code
with Authorize on controller method and AllowAnonymous
on one of the action methods inside then all of the action method will be authorized except the one that have AllowAnonymous meta data on it.
obviously the action method meta data is overriding the meta data from the controller method
[Authorize]
public class HomeController : Controller
{
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
[AllowAnonymous]
public string Method1()
{
return "The secure method";
}
}
But when i try the opposite with [AllowAnonymous] on the controller method
and with [Authorize] meta data on the action method
then the action method with the [Authorize] will not be AUTHORIZED
Why the behaviour is different?
[AllowAnonymous]
public class HomeController : Controller
{
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
[Authorize]
public string Method1()
{
return "The secure method";
}
}
答案1
得分: 2
[AllowAnonymous]属性专门用于白名单控制器或控制器上的操作。它的用途是在你希望绕过授权以允许匿名访问资源时使用,当你的资源受到要么应用于控制器要么全局应用于整个 Web 应用程序的[Authorize]属性的限制时。
在Microsoft 对于AllowAnonymousAttribute的文档中有描述:
> 指定在授权期间由 AuthorizeAttribute 跳过的操作和控制器。
这个功能也在AuthorizeAttribute的文档的备注部分中有说明:
> 你可以在一个操作上声明多个 AuthorizeAttribute。你还可以使用 AllowAnonymousAttribute 来禁用特定操作的授权。
所以,在你的问题中的两个示例中,你的操作 Method1 都应用了操作属性和控制器继承属性,因此你的两个示例都与以下代码完全相同:
[AllowAnonymous]
[Authorize]
public string Method1()
{
return "The secure method";
}
正如Microsoft文档中所述,只要在该操作上有[AllowAnonymous],它就指定了该操作会被AuthorizeAttribute跳过,尽管在操作上也声明了Authorize属性。这是因为我之前所说的[AllowAnonymous]属性的意图是用于白名单资源和绕过授权,因此在你的两个示例中,[AllowAnonymous]属性正按照预期的方式工作,允许匿名访问你的操作,即使它也声明为已授权。
英文:
The [AllowAnonymous] attribute is specifically meant to whitelist a controller or action on a controller. It is intended to be used when you want to literally bypass authorization to allow anonymous access to a resource when your resource is restricted by the [Authorize] attribute applied to either a controller or globally for the entire web application.
this is described here in the Micosoft docs for the AllowAnonymousAttribute:
> Specifies that actions and controllers are skipped by AuthorizeAttribute during authorization.
This functionality is also noted on the docs for the AuthorizeAttribute under the Remarks section:
> You can declare multiple AuthorizeAttribute per action. You can also use AllowAnonymousAttribute to disable authorization for a specific action.
So in both of your coding examples in your question your action Method1 has the action attribute applied and the controller inherited attribute applied, so both of your examples are exactly the same as doing this:
[AllowAnonymous]
[Authorize]
public string Method1()
{
return "The secure method";
}
Just as stated in the Microsoft docs, just having [AllowAnonymous] on that action specifies that this action is skipped by the AuthorizeAttribute, even though the Authorize attribute is declared on the action as well. This is due to what I was stating earlier that the intent for the [AllowAnonymous] attribute is for whitelisting a resource and bypassing authorization, so in both of your coding examples the [AllowAnonymous] attribute is working exactly as intended by allowing anonymous access to your action even if it was declared to be authorized as well.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论