TAGS :Viewed: 14 - Published at: a few seconds ago

[ Authorize filters vs Action Filters ]

i m using .NET mvc2 for my application. i want some custom authorization on my actions. i have googled a bit and there seems to be two options available.

  • Impelement logic in onActionExecuting in custom Action Filter see this post
  • subclass authorizeattribute or implement Iauthorization interface and put my logic there

My question here is that which technique is preferable with pros and cons of using each technique

edited: Moreover i can override onActionExecuting and onAuthorization in my base controller that gives me benefit of accessing controller variables directly.


Answer 1

While both options are OK, it is best to subclass AuthorizeAttribute for these reasons:

  1. Separation of concerns.
  2. MVC provides the AuthorizeAttribute for this purpose (don't fight the framework).
  3. The authorization filter is run first -- before other filters (per Pro ASP.NET MVC3 Framework, page 431). This ensures no unnecessary code will execute if an unauthorized user hits your controller/action.