问题
Why authentication filter is included in mvc 5? What is the major difference between authentication filter and authorization filter in mvc 5?
回答1:
I found the following blog post: ASP.NET MVC 5 Authentication Filters
Basically its about separation of concerns.
Authentication: find out WHO issued a request.
Authorization: find out whether a known user is allowed to perform a certain action.
回答2:
To answer this you must understand the difference between authentication and authorization. Simply put,
- Authentication is the server trying to identify the user (i.e. asking the question of 'who are you'). Usually this involves entering usernames, passwords, and/or access tokens.
- Authorization is the server determining whether the claimed user can/cannot perform certain actions.
Given the above definitions, authorization must come after authentication since you must be able to identify the user before determining what actions are legal for that particular user.
For ASP.NET MVC, authentication filters run before authorization filters as explained above. They both allow you the specify custom authentication (via IAuthenticationFilter.OnAuthentication and IAuthenticationFilter.OnAuthenticationChallenge) and authorization logic (via IAuthorizationFilter.OnAuthorization) respectively.
来源:https://stackoverflow.com/questions/39264993/difference-between-authentication-and-authorization-filters-in-aspnet-mvc5