Using Fluent Security, I have configured website access using DenyAnonymousAccess, DenyAuthenticationAccess and RequireRole. However, since HandleSecurityAttribute is not an authorization filter, all logic to handle DenyAnonymousAccessPolicyViolation only get executed after authorization filter, such as ValidateAntiForgeryToken.
This means that if current user's authentication ticket is timeout, any action decorated with ValidateAntiForgeryToken will throw exception since the token is not created for anonymous user.
So is there a way to work around this? I am currently looking at two solutions:
HandleSecurityAttribute security does. Authorize filer to handle authentication and leave role / other access policy to FluentSecurity.Update:
I checked in a demo at github, the username and password for this is dev1 and devdev. I set the timeout forms authentication to 1 minute. So if you login, and wait for one minute, then click on logoff, you will get the token is not created for anonymous user. In normal MVC, this won't happen since [Authorize] runs before [ValidateAntiForgeryToken], which redirect user back to login screen.
I haven't had any problems with this. Make sure that you put the HandleSecurityAttribute first in the filters list!
GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);