AspNetCore.Docs icon indicating copy to clipboard operation
AspNetCore.Docs copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Identity default FallbackPolicy interferes with StatusCodePages 404 middleware

Open lonix1 opened this issue 1 year ago • 4 comments
trafficstars

Description

The linked page's code is incorrect, and its wording could be improved.

When one uses Identity and "secure by default" config - i.e. builder.Services.AddAuthorization(x => x.FallbackPolicy = x.DefaultPolicy); - then attempts to access a non-existent page will go to the login page instead of the error/404 page.

To force requests to go to the error/404 page instead, the linked page's code is given as a solution. But it doesn't work. Perhaps some changes were made in the last few aspnet versions?

This does work:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;

public class SampleAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();

    public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
    {
        if (!authorizeResult.Succeeded &&
            authorizeResult.Challenged &&
            context.GetEndpoint() == null)
        {
            // Return a 404 to make it appear as if the resource doesn't exist.
            context.Response.StatusCode = StatusCodes.Status404NotFound;
            return;
        }

        await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
    }
}

Also, the "secure by default" docs linked above should be updated to mention this gotcha, else the app doesn't behave as expected. In this scenario, that page is misleading as it states:

The fallback authorization policy requires all users to be authenticated, except for Razor Pages, controllers, or action methods with an authorization attribute. For example, Razor Pages, controllers, or action methods with [AllowAnonymous] or [Authorize(PolicyName="MyPolicy")] use the applied authorization attribute rather than the fallback authorization policy.

It should state that there is one case where the [AllowAnonymous] attribute is ignored, and that should link to the doc discussed above.

Similarly, the status code pages doc should include a warning box with the same note.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/customizingauthorizationmiddlewareresponse?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authorization/customizingauthorizationmiddlewareresponse.md

Document ID

d0147dca-5a50-c83b-ae92-8a7c4ea4f69f

Article author

@Rick-Anderson

lonix1 avatar Apr 22 '24 04:04 lonix1

Background info for this issue on StackOverflow.

lonix1 avatar Apr 22 '24 06:04 lonix1

@lonix1 I think when using template generated Razor Pages code, unauthorized access redirects to the sign in page.

@Tratcher please assign a reviewer.

Rick-Anderson avatar Apr 23 '24 01:04 Rick-Anderson

@adityamandaleeka and @mkArtakMSFT should be assigning reviewers now.

Tratcher avatar Apr 23 '24 02:04 Tratcher

I've been caught by this problem too. Have spent several hours before tracking it down to this issue, so a resolution would help.

Personally, I think it needs a code update to change behaviour as you would not expect the 404 page to be behind a login check.

RyanONeill1970 avatar Jul 01 '24 10:07 RyanONeill1970