问题
In ASP.Net Web API 2 (Owin), what is the difference between IAuthenticationFilter and AuthorizeAttribute?
Currently I have implemented my authorization by creating my own AuthorizeAttribute like this:
public class IntegratedAuthorization : AuthorizeAttribute
{
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
bool returnValue = false;
if (actionContext.Request.Headers.Authorization != null)
{
if (actionContext.Request.Headers.Authorization.Scheme != null)
{
if (actionContext.Request.Headers.Authorization.Scheme.ToLower() == "basic")
{
if (actionContext.Request.Headers.Authorization.Parameter != null)
{
// ....
// ....
// ....
}
}
}
}
return returnValue;
}
}
Than I have added it to my HttpConfiguration like this:
config.Filters.Add(new IntegratedAuthorization());
Everything works fine, but when I searched the Internet, I found a lot of developers, who use IAuthenticationFilter, like in this tutorial: Authentication Filters in ASP.NET Web API 2.
Now the real question, what is the difference between this two methods? What should I use?
Thank you!
回答1:
AuthorizeAttribute is the class to implement for authorization of an application. You are following the correct approach.
IAuthorizationFilter is a more generalized interface that many filters implement, but they don't necessarily all provide authorization. While MVC doesn't care much one way or the other, the only way 3rd party libraries can identify the authorization component in the application and thus plug into the application's security is to check whether it inherits AuthorizeAttribute. The bottom line is that if your authorization component doesn't inherit AuthorizeAttribute, some 3rd party libraries might not function correctly in your application.
Since AuthorizeAttribute implements IAuthorizationFilter, you still have access to all of its functionality, including the OnAuthorization method that Farhad mentioned.
The only downside is Microsoft assumed that every application would be based on users and roles by making these properties of AuthorizeAttribute. So, if you have an application that is not, you may need to hide these properties in your implementation.
[Obsolete("Not applicable in this class.")]
[DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)]
[Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
new public string Roles { get; set; }
[Obsolete("Not applicable in this class.")]
[DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)]
[Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
new public string Users { get; set; }
One additional constraint is required for 3rd parties to plug into your application security - if you override OnAuthorization (note that you don't have to) it is important that a successful authorization return null for the actionContext.Response property and an unsuccessful authorization must set it to a non-null value (a handler that will take action based on the failure). This is the way the default implementation works, and you should follow the same pattern if you need to customize it.
来源:https://stackoverflow.com/questions/28668898/difference-between-authorizeattribute-and-iauthenticationfilter