AuthorizeAttribute是asp.net MVC的几大过滤器之一,俗称认证和授权过滤器,也就是判断登录与否,授权与否。当为某一个Controller或Action附加该特性时,没有登录或授权的账户是不能访问这些Controller或Action的。
在进入一个附加了Authorize特性的Controller或Action之前,首先执行的是AuthorizeAttribute类的OnAuthorization(AuthorizationContext filterContext)方法,接着OnAuthorization方法会去调用其他的诸如AuthorizeCore方法。
在将AuthorizeAttribute类反编译之后得到如下代码,一看就清晰明了:
using System; using System.Collections.Generic; using System.Linq; using System.Security.Principal; using System.Web.Mvc.Properties; namespace System.Web.Mvc { /// <summary>Specifies that access to a controller or action method is restricted to users who meet the authorization requirement.</summary> [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)] public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter { private static readonly char[] _splitParameter = new char[] { ',' }; private readonly object _typeId = new object(); private string _roles; private string[] _rolesSplit = new string[0]; private string _users; private string[] _usersSplit = new string[0]; /// <summary>Gets or sets the user roles that are authorized to access the controller or action method.</summary> /// <returns>The user roles that are authorized to access the controller or action method.</returns> public string Roles { get { return this._roles ?? string.Empty; } set { this._roles = value; this._rolesSplit = AuthorizeAttribute.SplitString(value); } } /// <summary>Gets the unique identifier for this attribute.</summary> /// <returns>The unique identifier for this attribute.</returns> public override object TypeId { get { return this._typeId; } } /// <summary>Gets or sets the users that are authorized to access the controller or action method.</summary> /// <returns>The users that are authorized to access the controller or action method.</returns> public string Users { get { return this._users ?? string.Empty; } set { this._users = value; this._usersSplit = AuthorizeAttribute.SplitString(value); } } /// <summary>When overridden, provides an entry point for custom authorization checks.</summary> /// <returns>true if the user is authorized; otherwise, false.</returns> /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param> /// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext" /> parameter is null.</exception> protected virtual bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } IPrincipal user = httpContext.User; return user.Identity.IsAuthenticated && (this._usersSplit.Length <= 0 || this._usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (this._rolesSplit.Length <= 0 || this._rolesSplit.Any(new Func<string, bool>(user.IsInRole))); } private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) { validationStatus = this.OnCacheAuthorization(new HttpConte