Add Authorization post #10
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
g7ed6e
force-pushed
the
authorization-post
branch
from
851506f to
b8c66af
Compare
g7ed6e
force-pushed
the
authorization-post
branch
from
b8c66af to
d36035c
Compare
g7ed6e
force-pushed
the
authorization-post
branch
from
d36035c to
5884e5e
Compare
g7ed6e
force-pushed
the
authorization-post
branch
from
5884e5e to
efda16f
Compare
g7ed6e
force-pushed
the
authorization-post
branch
from
efda16f to
3438740
Compare
mconnew
reviewed
Dec 16, 2022
mconnew
reviewed
Dec 16, 2022
mconnew
reviewed
Dec 16, 2022
| - `Roles` property is not supported and will trigger a build warning `COREWCF_0202`. | ||
|
|
||
| #### AllowAnonymous support | ||
| We did not bring support of the `[AllowAnonymous]` attribute as we believe that a strong interface segregation between anonymous and secured operations should be set. Moreover supporting this attribute would imply delaying the authentication step in the pipeline leading to potential DDoS vulnerabilities. Decorating an `OperationContract` implementation with `[AllowAnonymous]` will have no effect and will trigger a build warning `COREWCF_0200`. |
Member
There was a problem hiding this comment.
DDoS -> DoS
DDoS generally refers to an attack which relies on flooding the bandwidth of the service (which is why you need lots of clients), or circumventing protections preventing single ip addresses from making too many requests. The nature of the potential vulnerability here doesn't need a distributed attack.
mconnew
reviewed
Dec 16, 2022
mconnew
reviewed
Dec 16, 2022
|
|
||
| ### Exclusiveness of ASP.NET Core Authorization policies and `ServiceAuthorizationManager` | ||
|
|
||
| Having `ClientCredentialType` set to `InheritedFromHost` disable the execution of an authorization logic implemented in `ServiceAuthorizationManager`. |
mconnew
reviewed
Dec 16, 2022
Contributor
Author
|
TODO Add a link to the sample from CoreWCF/samples#29 once merged |
g7ed6e
force-pushed
the
authorization-post
branch
from
b230669 to
19f5aec
Compare
When quoting class names with back ticks in section headings it renders strange as the class name is rendered in a lot smaller font.
mconnew
approved these changes
Apr 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.