If I want to secure a particular section in my MVC app, I use [Authorize] for the ActionMethod. I also know that I can use it for the entire controller so that I don't have to specify it for each and every ActionMethod in it.
I want to require authorization globally and want to be able to allow anonymous users in only a few places. How do I require users to be authorized globally and allow anonymous users in a few ActionMethods?
You can simply register AuthorizeFilter globally in your Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
// configure/build your global policy
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
services.AddMvc(x => x.Filters.Add(new AuthorizeFilter(policy)));
}
(The actual policy-building bits were taken from @Sam's own answer)