Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication filters in MVC 5

Tags:

c#

asp.net

asp.net-mvc

asp.net-mvc-4

asp.net-mvc-5

Authentication filters from Release Notes page

Authentication filters are a new kind of filter in ASP.NET MVC that run prior to authorization filters in the ASP.NET MVC pipeline and allow you to specify authentication logic per-action, per-controller, or globally for all controllers. Authentication filters process credentials in the request and provide a corresponding principal. Authentication filters can also add authentication challenges in response to unauthorized requests.

Can some one provide the practical use of this? Where I can use this AuthenticationFilters exactly?

Earlier I use to manage Access Control List for a action/controller by writing own CustomAttribute: FilterAttribute, IAuthorizationFilter and implement public void OnAuthorization(AuthorizationContext filterContext) . Is it possible to use this AuthenticationFilter here?

like image 955
Murali Murugesan Avatar asked Sep 27 '13 10:09

Murali Murugesan

1 Answers

As the docs says, the custom authentication filter provides an authentication per-action, per-controller or globally.

An example use is changing the authentication for just few selected controllers. Suppose for example that your whole site uses Forms Authentication where principals are taken from forms cookies.

However, you have a selected controller that acts as OAuth2 Resource Server where requests come from Service Providers (servers) and there are no forms cookies, rather, an OAuth2 access token is provided by the service provider server.

This is where a custom authentication filter comes into play - its task is to translate the token to a principal for the lifetime of current request only, just for the only controller that acts as the resource server endpoint. You don't want the whole site to accept OAuth2 tokens, rather the one particular controller.

The reason to introduce authentication filters is to separate authentication from authorization, where:

  • authentication is for estabilishing a principal for current request
  • authorization is to verify whether or not the current principal is permitted to execute current request

This was not clearly separated before authentication filters were introduced. Personally, I used to use authorization filters for this, however having two separate layers of filters in this particular order (authentication first, then authorization) is just cleaner.

like image 142
Wiktor Zychla Avatar answered Oct 11 '22 22:10

Wiktor Zychla
Sign in to Comment

Related questions

C# dictionary type with unique keys and values
Get parent OU of user in Active Directory using C#
Is it appropriate to use Property Injection in a base class when a dependency is only required in the base class?
Claim auth from ADFS
Web API model binding
How do I consume a ColdFusion webservice from C#?
Compilation issue in Visual Studio 12 Professional with a C# project
How to return a method's fully-qualified name on the fly?
NLog configured to automatically log all exceptions?
I need faster floating point math for .NET C# (for multiplying and dividing big arrays)
Finding fastest path at additional condition
IDisposable created within a method and returned
How do You Add Radio Buttons To Menu Items?
How to create the confirm box in mvc controller?
Better way to install IIS7 programmatically
populating datagridview with list of objects
Set "From" address when using System.Net.Mail.MailMessage?
Cookie to Expire when Browser Session Ends
Struct memory hack to overlap object reference - Is it possible?
Quiet down PostSharp warnings at build without skipping PostSharp

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!