Understanding 5 kinds of authorizationfilter of asp.net mvc

After a general introduction of the filters and their delivery mechanisms ("delving into the ASP.net mvc filter"), we introduced the four different filters separately in the order in which they were executed, first to introduce the Authorizationfilter that was first executed. In terms of naming, Authorizationfilter is used to complete authorization-related work, so it should be executed before the action method is invoked to act as an authorization. not limited to authorization, if we want the target action method to be interrupted before the execution of the process "do something" can be implemented in the form of Authorizationfilter.

First, Iauthorizationfilter

All the Authorizationfilter implements the interface Iauthorizationfilter. As shown in the following code snippet, Iauthorizationfilter defines a onauthorization method for implementing an authorization operation. The parameter Filtercontext for this method is a AuthorizationContext object that represents the authorization context, and AuthorizationContext inherits directly from ControllerContext.

   1:public Interface Iauthorizationfilter
   2: {
   3:     void Onauthorization (AuthorizationContext filtercontext);
   4:}
   5:
   6:public class Authorizationcontext:controllercontext
   7: {
   8: Public     authorizationcontext ();
   9: Public     authorizationcontext (ControllerContext controllercontext, Actiondescriptor actiondescriptor);
  10:
  One: Public     virtual Actiondescriptor actiondescriptor {get; set;}
  : public     actionresult result {get; set;}
  13:}

The AuthorizationContext Actiondescriptor property represents the Actiondescriptor object that describes the currently executing action, and the result property returns a ActionResult that is used to render in the authorization phase. Authorizationfilter execution is the first task that Actioninvoker performs on action, because subsequent work (model binding, model validation, action method execution, etc.) can only be meaningful on the basis of a successful authorization.

Actioninvoker the Actiondescriptor that describes the current action based on the current controller context and parsed authorizationfilter before executing the This creates a AuthorizationContext object that represents the authorization context. The AuthorizationContext object is then used as a parameter to execute all Authorizationfilter onauthorization in the order of the filter object and the Scope property.

After all authorizationfilter have been executed, the execution of the entire action will terminate if the result property of the specified AuthorizationContext object is expressed actionresult null. And Actioninvoker will execute the ActionResult directly. In general, a authorizationfilter can respond to a "401,unauthrized" response by setting the result property of an incoming AuthorizationContext object when authorization is granted to the current request , or renders an error page.

Second, Authorizeattribute

If we require an action to be accessible only to authenticated users, you can apply the Authorizeattribute attribute with the following definition on the controller type or action method. Authorizeattribute can also specifically restrict the user or role to which the target action can be accessed, and its users and roles properties are used to specify the list of authorized user names and roles, using commas as delimiters. If you do not explicitly set the users and Roles properties, Authorizeattribute only requires that the visitor be the authenticated user when authorizing the operation.

   1: [AttributeUsage (AttributeTargets.Method | AttributeTargets.Class, Inherited=true, Allowmultiple=true)]
   2:public class Authorizeattribute:filterattribute, Iauthorizationfilter
   3: {
   4:     //other Members
   5: Public     virtual void onauthorization (AuthorizationContext filtercontext);
   6:     protected Virtual HttpValidationStatus oncacheauthorization (HttpContextBase HttpContext);
   7:
   8: Public     string Roles {get; set;}
   9: Public     Override Object typeID {get;}
  Public     string Users {get; set;}
  11:}

If the authorization fails (the current visitor is an unauthorized user, or the current user's user name or role is not in the specified authorized user or role list), Authorizeattribute creates a Httpunauthorizedresult object. and assigns the result attribute to AuthorizationContext, which means that a reply with a status of "401,unauthorized" will be responded to. If you use Forms authentication, the configured login page is automatically displayed.

Many will equate Authorizeattribute's authorization to the method with the PrincipalPermissionAttribute, not only do they have a different mechanism to implement the authorization (the latter is authorization to the method invocation through code access security checks), They also have the same authorization policy. With the two methods defined below, the application of the PrincipalPermissionAttribute foooradmin means that it can be accessed by an account number of Foo or a user with the admin role. The method Fooandadmin with the Authorizeattribute attribute can only be accessed by user Foo, and the user must have an admin role. That is, the PrincipalPermissionAttribute feature is "logical OR" for the authorization logic of the user and role, whereas Authorizeattribute uses "logic and".

   1: [PrincipalPermission (Securityaction.demand,name= "Foo", role= "Admin")]
   2:public void Foooradmin ()
   3: {}
   4:
   5: [Authorize (users= "Foo", roles= "Admin")]
   6:public void Fooandadmin ()
   7: {}

In addition, we can apply multiple PrincipalPermissionAttribute and authorizeattribute to the same type or method. For the former, if the authorization that is currently used to pass any one of the PrincipalPermissionAttribute attributes is authorized to invoke the target method; means that the permission to invoke the target method is required through the authorization of all Authorizeattribute attributes. For example, in the following two ways, user Foo or bar can have permission to invoke the Fooorbar method, but none of the users have the right to invoke the Cannotcall method (because a user has only one user name).

   1: [PrincipalPermission (SecurityAction.Demand, name= "Foo")
   2: [PrincipalPermission (SecurityAction.Demand, name= "Bar")]
   3:public void Fooorbar ()
   4: {}
   5:
   6: [Authorize (users= "Foo")]
   7: [Authorize (users= "Bar")]
   8:public void Cannotcall ()
   9: {}