[ Authorize filters vs Action Filters ]
i m using .NET mvc2 for my application. i want some custom authorization on my actions. i have googled a bit and there seems to be two options available.
- Impelement logic in onActionExecuting in custom Action Filter see this post
- subclass authorizeattribute or implement Iauthorization interface and put my logic there
My question here is that which technique is preferable with pros and cons of using each technique
edited: Moreover i can override onActionExecuting and onAuthorization in my base controller that gives me benefit of accessing controller variables directly.
While both options are OK, it is best to subclass AuthorizeAttribute for these reasons:
- Separation of concerns.
- MVC provides the AuthorizeAttribute for this purpose (don't fight the framework).
- The authorization filter is run first -- before other filters (per Pro ASP.NET MVC3 Framework, page 431). This ensures no unnecessary code will execute if an unauthorized user hits your controller/action.