Doug Schmidt - 260 - Jun 5, 2014

Is there an easy pattern for disabling authentication for only one method call?

Most of my services services derive from a ServiceBase class which has the [Authenticate] attribute on the class. So all my service methods require authentication, which is almost always what I want.

But I have a few special APIs which I don’t want to be authenticated.

I tried just adding [Authenticate(ApplyTo.None)] on the specific method call, but that has no effect.

[Authenticate]
class ServiceBase
{

}

class MyService: ServiceBase
{
    public ResponseDto1 Get(RequestDto1 request) … // Authenticated
    public ResponseDto2 Get(RequestDto2 request) … // Authenticated

    [Authenticate(ApplyTo.None)]
    public ResponseDto3 Get(RequestDto3 request) … // wide open!
}

I had expected that the 3rd API would work without authentication, but it still does. How I can disable authentication for just this 3rd API?

‘ApplyTo’ only changes the scope of what the RequestFilter Attribute applies to, it doesn’t automatically override or hide Request Filters defined at the class-level.

Just change your class heirachy so  you can avoid running Request Filters you don’t want , i.e:

class ServiceBase : Service { … }

[Authenticate]
class AuthenticateServiceBase : ServiceBase { … }

Doug Schmidt:

Yeah, that’s the structure our code already has. So it sounds like there is no way to override inherited request filters. I’ll need to restructure things to get the granularity I want. Not horrible, just not a 1-liner.