You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The linked page's code is incorrect, and its wording could be improved.
When one uses Identity and "secure by default" config - i.e. builder.Services.AddAuthorization(x => x.FallbackPolicy = x.DefaultPolicy); - then attempts to access a non-existent page will go to the login page instead of the error/404 page.
To force requests to go to the error/404 page instead, the linked page's code is given as a solution. But it doesn't work. Perhaps some changes were made in the last few aspnet versions?
This does work:
using Microsoft.AspNetCore.Authorization;using Microsoft.AspNetCore.Authorization.Policy;publicclassSampleAuthorizationMiddlewareResultHandler:IAuthorizationMiddlewareResultHandler{privatereadonlyAuthorizationMiddlewareResultHandler_defaultHandler=new();publicasync Task HandleAsync(RequestDelegatenext,HttpContextcontext,AuthorizationPolicypolicy,PolicyAuthorizationResultauthorizeResult){if(!authorizeResult.Succeeded &&
authorizeResult.Challenged &&
context.GetEndpoint()==null){// Return a 404 to make it appear as if the resource doesn't exist.
context.Response.StatusCode = StatusCodes.Status404NotFound;return;}await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);}}
Also, the "secure by default" docs linked above should be updated to mention this gotcha, else the app doesn't behave as expected. In this scenario, that page is misleading as it states:
The fallback authorization policy requires all users to be authenticated, except for Razor Pages, controllers, or action methods with an authorization attribute. For example, Razor Pages, controllers, or action methods with [AllowAnonymous] or [Authorize(PolicyName="MyPolicy")] use the applied authorization attribute rather than the fallback authorization policy.
It should state that there is one case where the [AllowAnonymous] attribute is ignored, and that should link to the doc discussed above.
Similarly, the status code pages doc should include a warning box with the same note.
Description
The linked page's code is incorrect, and its wording could be improved.
When one uses Identity and "secure by default" config - i.e.
builder.Services.AddAuthorization(x => x.FallbackPolicy = x.DefaultPolicy);
- then attempts to access a non-existent page will go to the login page instead of the error/404 page.To force requests to go to the error/404 page instead, the linked page's code is given as a solution. But it doesn't work. Perhaps some changes were made in the last few aspnet versions?
This does work:
Also, the "secure by default" docs linked above should be updated to mention this gotcha, else the app doesn't behave as expected. In this scenario, that page is misleading as it states:
It should state that there is one case where the
[AllowAnonymous]
attribute is ignored, and that should link to the doc discussed above.Similarly, the status code pages doc should include a warning box with the same note.
Page URL
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/customizingauthorizationmiddlewareresponse?view=aspnetcore-8.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authorization/customizingauthorizationmiddlewareresponse.md
Document ID
d0147dca-5a50-c83b-ae92-8a7c4ea4f69f
Article author
@Rick-Anderson
The text was updated successfully, but these errors were encountered: