Question

AuthorizeAttribute要求您覆盖OnAuthorization方法，IAuthorizationFilter要求您实现OnAuthorization方法。对我来说似乎是一样的东西，还有其他差异吗？为什么一个用于另一个？

编辑：为了澄清，我试图理解以下两段代码之间的区别。

public class PasswordExpirationCheckAttribute : AuthorizeAttribute
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }            

        base.OnAuthorization(filterContext);
    }
}

和...

public class PasswordExpirationCheckAttribute : IAuthorizationFilter
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }            

        return;
    }
}

Answer 1

IAuthorizationFilter只是一个界面。它什么都不做。如果您想使用它，您必须实现自己的授权属性，从头开始实现该接口。

另一方面，

AuthorizeAttribute开箱即用。它实现了IAuthorizationFilter，并且已经满足了开发人员的共同需求。它仍然允许您覆盖OnAuthorization方法，以防您想要扩展其功能，但是您不必这样做，因为它可以正常运行而不会这样做。

使用AuthorizeAttribute或IAuthorizationFilter有什么区别？

1 个答案: