Is it possible to use a custom "AuthorizeAttribute" for one action of a controller protected by FluentSecurity

[elcoda]

Dears, one question on how to manage a different authentication for one specific action of a controller protected by FluentSecurity.

This action is different from others because is returning Json to be consumed by others. In this case I want to use Basic authentication instead of Form authentication. But I want to reuse the filters and logic of the same controller.

I tried several times creating a custom AuthorizeAttribute without any luck. It seems to me that FluentSecurity is taking control of the authentication before calling OnAuthorization of my custom attribute.

I don't know if it is possible to manage this kind of scenario. Have you got any suggestion? May I use a Policy violation handler to "chain" BasicAuthentication after form authentication?

Many thanks

[tiesont]

I would assume decorating the action with the AuthorizeAttribute, and then adding an "ignore" rule in your FluentSecurity config should be all you need.

So, something similar to

For<Controllers.YourController>(c => c.YourAction()).AllowAny();

and

public class YourController : Controller
{
    [Authorize()]
    public ActionResult YourAction()
    {
        /* whatever... */
    }
}

[elcoda]

Tieson, many thanks for your answer. I will retry, but for sure I decorated my action with [MyCustomAuthorize] and ignored that action in fluentsecurity (with .Ignore() I suppose).. but I will retry because I did so many experiments.

[tiesont]

FWIW, order does matter when creating/applying your policies in FluentSecurity, so make sure you're not accidentally applying another policy somewhere else in your configuration.

This might also be a better fit for StackOverflow, though to post this question there you'll need to be able to create a reproducible example of what you're seeing.