asp.net MVC之AuthorizeAttribute浅析

AuthorizeAttribute是asp.net MVC的几大过滤器之一，俗称认证和授权过滤器，也就是判断登录与否，授权与否。当为某一个Controller或Action附加该特性时，没有登录或授权的账户是不能访问这些Controller或Action的。

在进入一个附加了Authorize特性的Controller或Action之前，首先执行的是AuthorizeAttribute类的OnAuthorization(AuthorizationContext filterContext)方法，接着OnAuthorization方法会去调用其他的诸如AuthorizeCore方法。

在将AuthorizeAttribute类反编译之后得到如下代码，一看就清晰明了：

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Principal;
using System.Web.Mvc.Properties;
namespace System.Web.Mvc
{
    /// <summary>Specifies that access to a controller or action method is restricted to users who meet the authorization requirement.</summary>
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
    {
        private static readonly char[] _splitParameter = new char[]
        {
            ','
        };
        private readonly object _typeId = new object();
        private string _roles;
        private string[] _rolesSplit = new string[0];
        private string _users;
        private string[] _usersSplit = new string[0];
        /// <summary>Gets or sets the user roles that are authorized to access the controller or action method.</summary>
        /// <returns>The user roles that are authorized to access the controller or action method.</returns>
        public string Roles
        {
            get
            {
                return this._roles ?? string.Empty;
            }
            set
            {
                this._roles = value;
                this._rolesSplit = AuthorizeAttribute.SplitString(value);
            }
        }
        /// <summary>Gets the unique identifier for this attribute.</summary>
        /// <returns>The unique identifier for this attribute.</returns>
        public override object TypeId
        {
            get
            {
                return this._typeId;
            }
        }
        /// <summary>Gets or sets the users that are authorized to access the controller or action method.</summary>
        /// <returns>The users that are authorized to access the controller or action method.</returns>
        public string Users
        {
            get
            {
                return this._users ?? string.Empty;
            }
            set
            {
                this._users = value;
                this._usersSplit = AuthorizeAttribute.SplitString(value);
            }
        }
        /// <summary>When overridden, provides an entry point for custom authorization checks.</summary>
        /// <returns>true if the user is authorized; otherwise, false.</returns>
        /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
        /// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext" /> parameter is null.</exception>
        protected virtual bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (httpContext == null)
            {
                throw new ArgumentNullException("httpContext");
            }
            IPrincipal user = httpContext.User;
            return user.Identity.IsAuthenticated && (this._usersSplit.Length <= 0 || this._usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (this._rolesSplit.Length <= 0 || this._rolesSplit.Any(new Func<string, bool>(user.IsInRole)));
        }
        private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
        {
            validationStatus = this.OnCacheAuthorization(new HttpConte