ASP.NET MVCの[Authorize]のデフォルト動作をオーバーライドすることは可能ですか？

Question

ASP.NET MVCのデフォルトの[Authorize]動作をオーバーライドできるかどうか、またはどのようにできますか。新しいアクションフィルターを作成したり、自分の属性を作成したりできることを知っています。単に[承認]動作を変更して、その動作を自分のコードに置き換えることができるかどうかだけに興味がありますか？

編集: ：男と女の子。私はあなたの入力に感謝しますが、私が書いたように、私は いいえ 新しい[xyzauthorize]属性を紹介したいと考えています。これを行う方法を知っています。 [Authorize] Notationを維持したいのですが、その仕組みを変更するだけです。

Answer 1

Yes, take a look at the MSDN docs for AuthorizeAttribute: http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx.

Basically, you can override the OnAuthorization() method and customize the behavior. There are other virtual methods on the attribute as well.

EDIT: As Bruno pointed out, you can override the AuthorizeCore() method. The main difference being that AuthorizeCore() takes an HttpContextBase, while OnAuthorization() takes an AuthorizationContext. An instance of AuthorizationContext provides you with more information, such as the Controller, the RequestContext and the RouteData. It also lets you specify an ActionResult.

AuthorizeCore() is more restricted in the information you can access as well as the result you can return, but if you need to authorize cached data, then your logic needs to handle the case where you don't have any of that extra data (since data is served from the cache before the request is routed through the MVC pipeline).

As always, you need to understand your scenario and the available tools and trade-offs between them.

Answer 2

You can subclass the AuthorizeAttribute filter and put your own logic inside it.

Let's see an example. Let's say you want to always authorize local connections. However, if it is a remote connection, you would like to keep the usual authorization logic.

You could do something like:

public class LocalPermittedAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            return (httpContext.Request.IsLocal || base.AuthorizeCore(httpContext)));
        }
}

Or you could always authorize a certain remote address (your machine, for example).

That's it!

Edit: forgot to mention, you will use it the same as you would use the AuthorizeAttribute filter:

class MyController : Controller
{
    [LocalPermittedAuthorize]
    public ActionResult Fire()
    {
        Missile.Fire(Datetime.Now);
    }
}

Answer 3

Implement your own Role Provider and set your app to use it. Then the Authorize attribute will respect your athorization code.

Answer 4

I see only 2 ways: overriding AuthorizeAttribute.OnAuthorization method or creating your own authorize attribute from scratch.

1) very easy:

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        /// your behavior here
    }
}

2) easy too - just look at ASP.NET MVC source, AuthorizeAttribute.cs file

Answer 5

It seems you can implement a custom filter as usual (and inherit AuthorizeAttribute if you want), and then create a new ActionInvoker that inherits ControllerActionInvoker and overrides GetFilters. In GetFilters, you call base.GetFilters() to get the list of filters, the iterate through the AuthorizationFilters and replace calls to AuthorizeFilter with calls to your custom filter.

Another potential way is to implement custom membership and role providers, depending on what you're trying to do.