tags:

views:

43

answers:

1
+1  Q: 

Do ASP.Net MVC Controller Attributes Execute Before or After the Action?

Consider the following code:

    [Authenticate(Order = 1)]
    public ActionResult SomeActionThatRequiresAuthentication()
    { 
        var model = new SomeViewModel(); 
        // Do something with an authenticated session/user...
        return View(model);
    }

Does the Authenticate attribute happen before or after the code inside the SomeActionThatRequiresAutehntication method is executed?

I am asking this because I have a Attribute that does something like this:

    public class Authenticate : CustomAuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!UserService.IsAuthenticated && !HttpContext.Current.Response.IsRequestBeingRedirected)
            HttpContext.Current.Response.Redirect(ViewUtil.Actions.User.LogOnUrl());
    }
}

As you can see the attribute will redirect a user if the user is not authenticated. However it appears that the redirect only happens after the action executes. This is causing problems because I made the assumption the user is authenticated when executing the action. First I need to understand if the attributes are supposed to happen before or after the action is executed, or am I thinking of the workflow completely wrong?

Thanks, Paul

After researching this some more it is clear that the filterContext.Result has to be set for this to work. After making a small change in my Authorize attribute, it is now working:

    public class Authenticate : CustomAuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!UserService.IsAuthenticated && !HttpContext.Current.Response.IsRequestBeingRedirected)
            filterContext.Result = new RedirectResult(ViewUtil.Actions.User.LogOnUrl());
    }
}
+3  A: 

You're correct, Attributes execute before the action in question, so [Authenticate] should most certainly execute first and, if the user is not authenticated, the Action code never executes until after the user is redirected, authenticates and is redirected back to this action.

Edit based on comment: the MVC Framework OnAuthorizatrion method (source here) doesn't redirect, but sets the filterContext.Result to a `HttpUnauthorizedResult()' (which just sets a 401 status code). That result causes the authentication module to redirect the user to the login page. Assuming that the rest of your custom implementation is standard (not overriden or calling the base methods) changing this

HttpContext.Current.Response.Redirect(ViewUtil.Actions.User.LogOnUrl());

to this (or something similar, as long as you set the Result)

filterContext.Result = new HttpUnauthorizedResult();

should do the trick, at at least get your further down the road.

Brandon Satrom  2010-08-04 00:05:50
@Brandon From what I am seeing the action is actually executing even after a redirect takes place. I'm thinking this might be because all the redirect is doing is setting response codes on the Response object. It isn't actually stopping MVC from executing the action... I need to research this further, but that's the current thinking...
Paul Fryer  2010-08-04 00:28:44
Could be. Check out the source for the AuthorizationAttribute: http://aspnet.codeplex.com/SourceControl/changeset/view/55373#266447looks like you might try replacing the redirect with `filterContext.Result = new HttpUnauthorizedResult();`
Brandon Satrom  2010-08-04 00:47:04
@Brandon I actually tried setting filterContext.Result after adding my comment. And sure enough it is now working as expected. So I guess MVC will actually continue to execute the Action unless you set it in the Authorize attribute. See edits in original post.
Paul Fryer  2010-08-04 00:48:56
Awesome. I was just posting something similar in my original answer. Glad that worked for you!
Brandon Satrom  2010-08-04 00:52:56

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data