question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`FallbackPolicy` runs even when service or operation has `AuthorizeAttribute` applied

See original GitHub issue

Per docs and testing with WebAPI controllers, FallbackPolicy should only run when the action does not have any IAuthorizeData attributes (Authorize or AllowAnonymous) applied. With CoreWCF, FallbackPolicy applies unconditionally (more like DefaultPolicy).

Example:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddServiceModelServices();
builder.Services.AddAuthentication().AddFakeJwt();
builder.Services.AddAuthorization(opts =>
{
    opts.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAssertion(hc => false).Build();
    opts.AddPolicy("Anonymous", policy => policy.RequireAssertion(hc => true));
});

var app = builder.Build();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.UseServiceModel(c =>
{
    c.AddService<WcfService>()
        .AddServiceEndpoint<WcfService, IWcfService>(new BasicHttpBinding
        {
            Security = new BasicHttpSecurity
            {
                Mode = BasicHttpSecurityMode.Transport,
                Transport = new HttpTransportSecurity
                {
                    ClientCredentialType = HttpClientCredentialType.InheritedFromHost
                }
            }
        }, "/IWcfService");
});

app.Run();

[ServiceContract(Namespace = "urn:example")]
public interface IWcfService
{
    [OperationContract]
    void Hello();
}

[Authorize(Policy = "Anonymous")]
public class WcfService : IWcfService
{
    public void Hello()
    {
        Console.WriteLine("Example 2");
    }
}

Request:

POST https://localhost:7160/IWcfService HTTP/1.1
Content-Type: text/xml; Charset=UTF-8
User-Agent: XML Spy
SOAPAction: "urn:example/IWcfService/Hello"
Host: localhost:7160
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
	<Body>
		<Hello xmlns="urn:example"/>
	</Body>
</Envelope>

Expected behavior: Only "Anonymous" policy assertion is executed and call completes Actual behavior: Both policies are executed and authorization results in access denied

Versions: .Net 7, CoreWCF.Http 1.3.1

Issue Analytics

  • State:open
  • Created 7 months ago
  • Comments:7

github_iconTop GitHub Comments

1reaction
mgaffigancommented, Feb 20, 2023

@g7ed6e, Ok. That would document the behavior I have observed.

0reactions
g7ed6ecommented, Feb 19, 2023

Added a few words about the FallbackPolicy in https://github.com/CoreWCF/corewcf.github.io/pull/10

Read more comments on GitHub >

github_iconTop Results From Across the Web

Setting global authorization policies using the ...
The FallbackPolicy is applied when no authorization requirements are specified, including the [Authorize] attribute or equivalent. By default, ...
Read more >
c# - Apply default AuthorizationPolicy even when Authorize ...
1 Answer. By default, all authorization requirements will be run through the DefaultAuthorizatonService , the source code and interface ...
Read more >
Policy-based authorization in ASP.NET Core
IAuthorizationRequirement is a marker service with no methods, and the mechanism for tracking whether authorization is successful.
Read more >
Globally Require Authenticated Users By Default Using ...
A Fallback Policy means that if no other policy or attribute is specified on a Controller or Razor Page, the Authorization middleware will...
Read more >
From MVC to Minimal APIs with ASP.NET Core 6.0 - Ben Foster
ASP.NET 6.0 introduces an alternative way to build HTTP APIs, using the aptly named “Minimal APIs”. This post provides a step-by-step guide ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found