What is the intended semantics for multiple authentication filters? It is allowed? and if so, how do they work together?
Here is an example. Suppose I have a controller class like
[BasicAuthenticator] [LocalAuthenticator] [Authorize] public class TestController : ApiController { [AllowAnonymous] public IHttpActionResult GetProduct(int id) { }
in which BasicAuthenticator and LocalAuthenticator implement the IAuthenticationFilter.
Each authenticator will get a chance to succeed. If either succeeds, it will set context.Principal to a new object with the corresponding ClaimsIdentity identifier (name, type and isAuthenticated = true).
What if the authenticator does not work? I think that he should not do anything so that another has a chance to succeed. Right?
And what if both succeed? Depending on what the second time removes the Principal created the first? Wouldn't it make sense to combine the ClaimsIdentity collections of the two main objects together?
If the authenticator fails, it should not do anything, right? Because another authenticator may succeed. The semantics of the presence of two authenticators is that the action will be performed, if one of them succeeds, correct?
I think that the Authorize class will look at all ClaimsIdentity in the main, and if any ClaimsIdentity has "isAuthenticated = true", then it will allow the controller action to start. Otherwise, it will set status = 401. This seems to work. It is right?
The purpose of [AllowAnonymous] is to disable all other authorization filters, fix it? The controller (or method of action) is decorated with [AllowAnonymous] , then I assume that it should always start, even if authentication fails. It is right?