Authorize filters vs Action Filters

Question

i m using .NET mvc2 for my application. I want some custom authorization on my actions. I have googled a bit and there seems to be two options available.

• Implement logic in onActionExecuting in custom Action Filter, see this post
• Subclass authorizeattribute or implement Iauthorization interface and put my logic there

My question here is that which technique is preferable with pros and cons of using each technique

edited: Moreover I can override onActionExecuting and onAuthorization in my base controller that gives me benefit of accessing controller variables directly.

Answer 1

While both options are OK, it is best to subclass AuthorizeAttribute for these reasons:

1. Separation of concerns.
2. MVC provides the AuthorizeAttribute for this purpose (don't fight the framework).
3. The authorization filter is run first -- before other filters (per Pro ASP.NET MVC3 Framework, page 431). This ensures no unnecessary code will execute if an unauthorized user hits your controller/action.