the easiest way to understand it is by looking at the source code.
a basic explanation is that the mvc controller is not simply called like instance.method (in which case you would need postsharp to make the attributes work the same way)
there is a ControllerActionInvoker
which has the method
public virtual bool InvokeAction(ControllerContext controllerContext, string actionName)
{
...
// get all the filters (all that inherit FilterAttribute), inlcuding the authorize attribute
FilterInfo filterInfo = GetFilters(controllerContext, actionDescriptor);
first all the filters that inherit IAuthorizationFilter
are executed (Authorize, ValidateAntiForgeryToken)
, after if auth succeeded the rest
AuthorizationContext authContext = InvokeAuthorizationFilters(controllerContext, filterInfo.AuthorizationFilters, actionDescriptor);
//authContext.Result has value if authorization didn't succeed
if (authContext.Result != null)
{
// the auth filter signaled that we should let it short-circuit the request
InvokeActionResult(controllerContext, authContext.Result);
}
else
{
if (controllerContext.Controller.ValidateRequest)
{
ValidateRequest(controllerContext);
}
IDictionary<string, object> parameters = GetParameterValues(controllerContext, actionDescriptor);
//invoke the action with filters here
ActionExecutedContext postActionContext = InvokeActionMethodWithFilters(controllerContext, filterInfo.ActionFilters, actionDescriptor, parameters);
InvokeActionResultWithFilters(controllerContext, filterInfo.ResultFilters, postActionContext.Result);
}