Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Custom Authorize Filter Order Execution with ValidateAntiForgeryToken

Tags:

c#

asp.net-mvc

filter

authorize-attribute

I am using couple of Authorize Filter on a method.

[SessionState(SessionStateBehavior.Required)]
public class AuthenticationFilterAttribute : AuthorizeAttribute {}

[HttpPost]
[AuthenticationFilter]
[ValidateAntiForgeryToken]
public void SaveProgress(string data) {}

Both of them are authorize filter, so I expected AuthenicationFilter to run before the ValidateAntiForgeryToken filter. But the ValidateAntiForgeryToken runs before the Authentication filter.

I know that this can be solved by the Order property. But I want to know the reason of this behaviour, and I want to make sure it executes in that order (within the corresponding filter types - authorize, action..so on).

like image 630
DarkKnight Avatar asked Oct 22 '13 22:10

DarkKnight

1 Answers

Filter execution order is defined by their types, their Order and finally their Scopes.

From msdn :

Filter Order

Filters run in the following order:

  1. Authorization filters
  2. Action filters
  3. Response filters
  4. Exception filters

For example, authorization filters run first and exception filters run last. Within each filter type, the Order value specifies the run order. Within each filter type and order, the Scope enumeration value specifies the order for filters. This enumeration defines the following filter scope values (in the order in which they run):

  1. First
  2. Global
  3. Controller
  4. Action Last

For example, an OnActionExecuting(ActionExecutingContext) filter that has the Order property set to zero and filter scope set to First runs before an action filter that has the Order property set to zero and filter scope set to Action. Because exception filters run in reverse order, an exception filter that has the Order property set to zero and filter scope set to First runs after an action filter that has the Order property set to zero and filter scope set to Action.

And finally :

The execution order of filters that have the same type, order, and scope is undefined.

Your ValidateAntiForgeryToken and Authorize filters are of same type, order and scope too (both being undefined) so the execution order will be undefined. From then, your only option is, as you already know, to define an Order property for both.

For your information, FilterScope property does not show up in my Intellisense but after typing it, it finally appears.

like image 70
AirL Avatar answered Sep 20 '22 08:09

AirL
Sign in to Comment

Related questions

ServiceStack support for conditionally omitting fields from a REST response on a per-call basis
How to fix MissingMethodException during Content.Load<Texture2D> in Xamarin Studio on MacOS X?
Unique Index using Data Annotations [duplicate]
Is any way to pass object or list to sql server stored procedure? [duplicate]
Is the base access defined correctly in the C# Language Specification 4.0?
Xamarin ios: ABAddressbook.Create always null, can't request access
Change .dll in runtime
Creating a Delegate from methodInfo in Mono 2.8.2
Is there a more efficient LINQ statement to reverse-search for a condition in a List<T>?
How to Bind ItemsSource with ObservableCollection in WPF
Sub Web.config in Area
Create a View from String
Conditional file compilation in Visual Studio and .NET
How to get Setup and Teardown working per-Fixture?
Using ProgressBar with Caliburn.micro
Can't escape double quotes in RegularExpression using named parameters. C#
Equivalent of (IntPtr)1 in VBNET?
ToolTip.Show for an inactive window doesn't works
WPF realtime chart application architecture
How to catch DataGridView validation Error when I write value in editable cells?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!