问题
What is the difference in the use of AllowAnonymous and OverrideAuthorizeAttribute. Is it same?
回答1:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
The two are different, but can have the same effect in certain circumstances. Authentication is the process of verifying the user. Overrides disable the filter of the override type at the next highest level of scope. Authorization is the process of determining if the user should have access to a specific resource. The [AllowAnonymous] attribute disables authentication such that web api will skip authentication adn authorization during an access request to a controller decorated with this attribute or to a specific action method decorated with this attribute. Consider the following Controller Class from the article listed in the link
[Authorize]
public class ValuesController : ApiController
{
[AllowAnonymous]
public HttpResponseMessage Get() { ... }
public HttpResponseMessage Post() { ... }
}
In the above example authorized users (any identified user) have access to the post action method but no authorization is required for the Get action method.
Authorization restricts access to resource to those users that belong to those users or user roles that have been granted access. The [OverrideAuthorization] attribute disables the [Authorization] step such that any authenticated user would have access to the action method. This can be seen in the following example taken from the article.
Consider the following Controller Class:
[Authorize(Roles="Admins")]
public class SomeController : ApiController {
[OverrideAuthorization]
[Authorize(Roles="Users")]
public IEnumerable<SomeModel> Get() {...}
public SomeModel Post() {...}
}
In the above example, a user must be authenticated and have a prinicple to access any of the action methods defined by the controller. However, while only principles with a role of "Admins" can access the Post action method, any authenticated user in the Users role can access the Get action method.
回答2:
OverrideAuthorizeAttribute describes an attribute which overrides the current functionality of AuthorizeAttribute according to its implementation by any developer (IT IS NOT PROVIDED IN ANY VERSION OF .NET FRAMEWORK).
AllowAnonymousAttribute is provided by .NET to override the AuthorizeAttribute functionality in a way defined by .NET team. (IT IS PROVIDED IN .NET FRAMEWORK).
来源:https://stackoverflow.com/questions/34043934/allowanonymous-vs-overrideauthorizeattribute