Reputation: 408
Difference between authentication and authorization filters in aspnet-mvc5
Why authentication filter is included in mvc 5? What is the major difference between authentication filter and authorization filter in mvc 5?
Upvotes: 5
Views: 9447
Answers (2)
Reputation: 15432
To answer this you must understand the difference between authentication and authorization. Simply put,
- Authentication is the server trying to identify the user (i.e. asking the question of 'who are you'). Usually this involves entering usernames, passwords, and/or access tokens.
- Authorization is the server determining whether the claimed user can/cannot perform certain actions.
Given the above definitions, authorization must come after authentication since you must be able to identify the user before determining what actions are legal for that particular user.
For ASP.NET MVC, authentication filters run before authorization filters as explained above. They both allow you the specify custom authentication (via IAuthenticationFilter.OnAuthentication and IAuthenticationFilter.OnAuthenticationChallenge) and authorization logic (via IAuthorizationFilter.OnAuthorization) respectively.
Upvotes: 4
Reputation: 9463
I found the following blog post: ASP.NET MVC 5 Authentication Filters
Basically its about separation of concerns.
Authentication: find out WHO issued a request.
Authorization: find out whether a known user is allowed to perform a certain action.
Upvotes: 4
Related Questions
- Custom Authorization filter in ASP.NET MVC 5?
- ASP.NET MVC Authorization Filter
- What is the difference between Authorize Action filter and Authorization filter?
- What is the difference between Authorization filters and Action filters
- ASP.NET MVC IAuthorizationFilter usage
- MVC5 Authentication filters
- What is the difference between using AuthorizeAttribute or IAuthorizationFilter?
- Authentication filters in MVC 5
- Difference between IActionFilter and IAuthorizationFilter
- What is the difference between AuthenticateRequest and AuthorizeRequest