ASP.NET MVC Identity whitelisting vs blacklisting – Don’t trust yourself

Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.

Scenario 1: Blacklisting

Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.

Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.

Scenario 2: Whitelisting

Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.

Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.

Which issue would you rather have to deal with?

I personally prefer the whitelisting approach and err on the side of caution.

See also: Enable global authentication with ASP.NET MVC and Identity