`FallbackPolicy` runs even when service or operation has `AuthorizeAttribute` applied
See original GitHub issuePer docs and testing with WebAPI controllers, FallbackPolicy
should only run when the action does not have any IAuthorizeData
attributes (Authorize
or AllowAnonymous
) applied. With CoreWCF, FallbackPolicy
applies unconditionally (more like DefaultPolicy
).
Example:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddServiceModelServices();
builder.Services.AddAuthentication().AddFakeJwt();
builder.Services.AddAuthorization(opts =>
{
opts.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAssertion(hc => false).Build();
opts.AddPolicy("Anonymous", policy => policy.RequireAssertion(hc => true));
});
var app = builder.Build();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseServiceModel(c =>
{
c.AddService<WcfService>()
.AddServiceEndpoint<WcfService, IWcfService>(new BasicHttpBinding
{
Security = new BasicHttpSecurity
{
Mode = BasicHttpSecurityMode.Transport,
Transport = new HttpTransportSecurity
{
ClientCredentialType = HttpClientCredentialType.InheritedFromHost
}
}
}, "/IWcfService");
});
app.Run();
[ServiceContract(Namespace = "urn:example")]
public interface IWcfService
{
[OperationContract]
void Hello();
}
[Authorize(Policy = "Anonymous")]
public class WcfService : IWcfService
{
public void Hello()
{
Console.WriteLine("Example 2");
}
}
Request:
POST https://localhost:7160/IWcfService HTTP/1.1
Content-Type: text/xml; Charset=UTF-8
User-Agent: XML Spy
SOAPAction: "urn:example/IWcfService/Hello"
Host: localhost:7160
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<Body>
<Hello xmlns="urn:example"/>
</Body>
</Envelope>
Expected behavior: Only "Anonymous"
policy assertion is executed and call completes
Actual behavior: Both policies are executed and authorization results in access denied
Versions: .Net 7, CoreWCF.Http 1.3.1
Issue Analytics
- State:
- Created 7 months ago
- Comments:7
Top Results From Across the Web
Setting global authorization policies using the ...
The FallbackPolicy is applied when no authorization requirements are specified, including the [Authorize] attribute or equivalent. By default, ...
Read more >c# - Apply default AuthorizationPolicy even when Authorize ...
1 Answer. By default, all authorization requirements will be run through the DefaultAuthorizatonService , the source code and interface ...
Read more >Policy-based authorization in ASP.NET Core
IAuthorizationRequirement is a marker service with no methods, and the mechanism for tracking whether authorization is successful.
Read more >Globally Require Authenticated Users By Default Using ...
A Fallback Policy means that if no other policy or attribute is specified on a Controller or Razor Page, the Authorization middleware will...
Read more >From MVC to Minimal APIs with ASP.NET Core 6.0 - Ben Foster
ASP.NET 6.0 introduces an alternative way to build HTTP APIs, using the aptly named “Minimal APIs”. This post provides a step-by-step guide ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@g7ed6e, Ok. That would document the behavior I have observed.
Added a few words about the
FallbackPolicy
in https://github.com/CoreWCF/corewcf.github.io/pull/10