ASP.NET MVC Identity whitelisting vs blacklisting – Don’t trust yourself

Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.

Scenario 1: Blacklisting

Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.

Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.

Scenario 2: Whitelisting

Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.

Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.

Which issue would you rather have to deal with?

I personally prefer the whitelisting approach and err on the side of caution.

See also: Enable global authentication with ASP.NET MVC and Identity


How I started blogging

Have you been thinking of starting a blog? Then you probably know that it can look like a huge and frightening task…

I have thought about starting one several times in the past.

I then asked myself a lot of questions and got overwhelmed by the answers I found by myself or using google:

  • How to name my blog?
  • Which blogging platform to use?
  • As a IT professional, should I install and setup my baby manually?
  • What to blog about?
  • What language to blog in (with German, English and Spanish to choose from in my case)?
  • Do I have anything to add to the internet? So much stuff already out there….
  • Who am I, to <fill in the blank>?

If you have an introvert tendency like me all these unknowns can give you the excuses you need to NOT get started at all.

Luckily I stumbled over John Sonmez SimpleProgrammer-website and Youtube-channel. After consuming a lot of his free content he is putting out there I finally tried his blog-course and I am glad I did! He managed to simplify the task at hand and use his psychology skills to destroy all your excuses one after another so you can’t help but get that thing up and running!

The fact that you are reading this is the proof! 🙂

Enable global authentication with ASP.NET MVC and Identity

To require user authentication for all action methods on all controllers please add the AuthorizeAttribute class to the App_Start/FilterConfig.cs file:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
    filters.Add(new AuthorizeAttribute()); 

To configure an exception and allow anonymous access to an action method: Decorate it with the AllowAnonymousattribute:

public ActionResult Index()
    // do stuff