aspnetcore: "DenyAnonymousAuthorizationRequirement" is not respecting "AuthorizationOptions.InvokeHandlersAfterFailure"
Describe the bug
When building Authorization policies with PolicyBuilder and specifying either “.RequireAuthenticatedUser()” or explicitly adding “DenyAnonymousAuthorizationRequirement” wont fail authorization immediately after when “AuthorizationOptions.InvokeHandlersAfterFailure” option is set to false.
To Reproduce
Create empty aspnet project with any type of authentication.
Add authorization:
services
.AddAuthorization(options =>
{
// indicates that authorization should fail immediately after
// first failed policy and not to proceed to any other pending policies
options.InvokeHandlersAfterFailure = false;
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireAssertion(context =>
{
// this code should newer be executed on unauthenticated request
return context.User.Identity.IsAuthenticated;
})
.Build();
});
Make unauthenticated request.
Expected result
All unauthenticated requests should fail on “.RequireAuthenticatedUser()” requirement and not execute further if “InvokeHandlersAfterFailure” is set to “false”
Actual result
Every unauthenticated request is executing “RequireAssertion” followed by “.RequireAuthenticatedUser()” requirement when “InvokeHandlersAfterFailure” is set to “false”.
Exceptions (if any)
None
Root cause
“DenyAnonymousAuthorizationRequirement” implementation is never calling context.Fail() on unauthenticated request, hence not respecting “InvokeHandlersAfterFailure” set to “false” setting.
[DenyAnonymousAuthorizationRequirement.cs]https://github.com/dotnet/aspnetcore/blob/8b30d862de6c9146f466061d51aa3f1414ee2337/src/Security/Authorization/Core/src/DenyAnonymousAuthorizationRequirement.cs#L20-L31
Further technical details
- ASP.NET Core version 3.1
- VS 2019 Version 16.10.4
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (11 by maintainers)
That’s fair, we’ll talk about it in triage later this week.