1

Currently I have the following configurations for a asp.net core 2.1 project in Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    //... some other configs
    
    services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
            var authorizeFilter = new AuthorizeFilter(policy);
            options.Filters.Add(authorizeFilter);
        });
        
    services.AddAuthorization(options =>
        {
            options.AddPolicy("PolicyA", builder =>
                builder.Requirements.Add(new RequirementA()));
            options.AddPolicy("PolicyB", builder =>
                builder.Requirements.Add(new RequirementB()));
        });
    
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                options.Authority = "authority";
                options.Audience = "audience";
            });
    //... some more configs
}

and also a Controller that starts like this:

[Authorize(Policy="PolicyA"]
[Authorize(Policy="PolicyB"]
public class MyController : ControllerBase
{
    // super awesome code I can't show :P
}

My goal is to execute the AuthorizeFilter that handles the basic Bearer authentication and authorization before "PolicyA" and "PolicyB". At the moment it seams like the AuthorizeFilter is executed last after "PolicyA" and "PolicyB".

I already looked into similar issues posted here, but I only found solutions for setting the execution order of Attributes, but I want to use the MVC filter if possible instead of an attribute for the basic authentication and authorization.

So this one unfortunately didn't help me: Action filter execution order

Update: As Xerillio suggested in the comments that policies are probably meant to be self-contained, I adapted my AuthorizationHandlers to also check what my AuthorizeFilter is checking already. This does not feel like the best possible solution, but I will keep it for now.

René
  • 100
  • 1
  • 8
  • If your policies require the user to be authenticated, then you should add that to the policies. I think policies are meant to be self-contained and not dependent on each other. – Xerillio Jun 21 '21 at 19:01
  • But i.e. the AuthorizeFilter checks for username and password being correct which is being required everywhere in the application. Additionally I want to have different policies for specific requirements i.e. a specific user role like admin that can access the AdminController. What would be the best way to implement this? When I the requirements can't depend on each other I will need to duplicate or at least reference the same code in every IAuthorizationHandler. I think there must be a better way to do this. – René Jun 22 '21 at 07:08
  • If your policies are about requiring the user to have a specific role, then you should look at [role-based authorization](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-5.0) and not policies. – Xerillio Jun 22 '21 at 17:18
  • Role-based authorization does not solve my problem here, because it is not any different to using policies in their execution behavior and order. I didn't use role-based authorization here because it ist more limited in functionality, but that is a different topic... – René Jun 23 '21 at 12:51

0 Answers0