AuthorizeAttribute is an implementation class for authorizing an application. You are following the right approach.
IAuthorizationFilter is a more generalized interface that is implemented by many filters, but they do not necessarily provide authorization. While MVC doesnβt care much about anyway, third-party libraries can only identify the authorization component in the application and thus connect to the security of the application, this is to check if it inherits AuthorizeAttribute bottom line is that if your component Authorization does not inherit AuthorizeAttribute , some third-party libraries may not work correctly in your application.
Since AuthorizeAttribute implements IAuthorizationFilter , you still have access to all its functions, including the OnAuthorization method that Farhad mentioned.
Microsoft's only drawback is that each application will be based on users and roles, creating these AuthorizeAttribute properties. So, if you have an application that is not there, you may need to hide these properties in your implementation.
[Obsolete("Not applicable in this class.")] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)] new public string Roles { get; set; } [Obsolete("Not applicable in this class.")] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)] new public string Users { get; set; }
For third parties, an additional restriction is necessary - if you redefine OnAuthorization (note that you do not need it), it is important that a successful authorization actionContext.Response null for the actionContext.Response property and a failed authorization must set it to a non-zero value (a handler that will take action based on failure). This is how the default implementation works, and you have to follow one template if you need to configure it.