Draco
Draco

Reputation: 16374

How does custom MVC Authorization work?

I'm having a bit of an issue understanding how Authorization works in MVC when we extend the Authorize attribute.

So in the code we have extended the AuthorizeAttribute like this:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class AuthExtendAttribute : AuthorizeAttribute

We then add the extension to the list of global filters like this:

filters.Add(new AuthExtendAttribute());

Then the action methods are decorated with the Authorize attribute like this:

[Authorize]
public bool DoStuff()

My question is, will this new extension replace the default behavior of the [Authorize] attribute or will the framework still use the default behavior and then call the overridden methods in AuthExtendAttribute?

Also, why would I need to add the extension to the global filter list if I could simply decorate my action methods with [AuthExtend]?

Is it also true that with newer MVC applications we shouldn't be extending the Authorize attribute but rather we should be using the new Policy based authorization?

Upvotes: 0

Views: 192

Answers (2)

Andrei Olariu
Andrei Olariu

Reputation: 556

What you have are 2 separate action filters. By registering your new filter as a global filter, you're simply making it available to all actions in your app.

With your original set-up, both filters will execute. If you want to control the order in which they get executed you can have a look at the Order and Scope properties; more info here: In what order are filters executed in asp.net mvc

Also, why would I need to add the extension to the global filter list if I could simply decorate my action methods with [AuthExtend]?

It depends on what you want to do. Your global filter will execute for all actions. Usually, you would only be using your extended attribute, I don't see why you'd use both. Not sure how your custom filter is implemented and how your authentication is set up but with the filter globally registered how will users log in (since they need to be authorized to access the sign in page)?

I think it would be best if you just use your custom filter and add it on top of controllers and/or action as needed.

Is it also true that with newer MVC applications we shouldn't be extending the Authorize attribute but rather we should be using the new Policy based authorization?

I don't think that policy-Based Authorization and creating custom action filters are mutually exclusive.

Upvotes: 1

Shiham
Shiham

Reputation: 2184

  1. No, default behavior will remain same and unauthorized requests will be redirected to login.

  2. In order to use the attribute across the application you need to register the filter, thats what happen when you add it to global filter list .

  3. Not sure there is an excat answer for this question, IMO it should be a decision to make according to your requirements rather than a rule. in my experience even though claim/ roles based authorization simplifies things when the system has different roles, and role based access to certain parts of the application. But in a case of a single or few user scenario it is always quick to get going with a custom authorizations.

Upvotes: 1

Related Questions