Search code examples
.netaction-filterauthorize-attribute

Authorize filters vs Action Filters

i m using .NET mvc2 for my application. I want some custom authorization on my actions. I have googled a bit and there seems to be two options available.

  • Implement logic in onActionExecuting in custom Action Filter, see this post
  • Subclass authorizeattribute or implement Iauthorization interface and put my logic there

My question here is that which technique is preferable with pros and cons of using each technique

edited: Moreover I can override onActionExecuting and onAuthorization in my base controller that gives me benefit of accessing controller variables directly.

Solution

  • While both options are OK, it is best to subclass AuthorizeAttribute for these reasons:

    1. Separation of concerns.
    2. MVC provides the AuthorizeAttribute for this purpose (don't fight the framework).
    3. The authorization filter is run first -- before other filters (per Pro ASP.NET MVC3 Framework, page 431). This ensures no unnecessary code will execute if an unauthorized user hits your controller/action.