What is the difference between using AuthorizeAttribute or IAuthorizationFilter?

强颜欢笑 提交于 2019-12-22 04:31:32

问题


AuthorizeAttribute requires you to override the OnAuthorization method and IAuthorizationFilter requires you to implement an OnAuthorization method. Seems like the same thing to me, are there any other differences? Why would one be used over the other?

EDIT: To clarify, I'm trying to understand what the difference is between the following 2 pieces of code.

public class PasswordExpirationCheckAttribute : AuthorizeAttribute
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }            

        base.OnAuthorization(filterContext);
    }
}

and...

public class PasswordExpirationCheckAttribute : IAuthorizationFilter
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }            

        return;
    }
}

回答1:


IAuthorizationFilter is only an interface. It does nothing. If you wanted to use it, you'd have to implement your own authorization attribute that implements that interface from the ground up.

AuthorizeAttribute, on the other hand, works out of the box. It implements IAuthorizationFilter and already takes care of the common needs of developers. It still allows you to override the OnAuthorization method in case you want to extend its functionality, but you don't have to, as it works just fine without you doing that.



来源:https://stackoverflow.com/questions/27021506/what-is-the-difference-between-using-authorizeattribute-or-iauthorizationfilter

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!