Authorization Filter runs every time
380 views
Skip to first unread message
Alex G.
Nov 8, 2011, 2:14:50 PM11/8/11
to aut...@googlegroups.com
I have a custom authorization filter that requires certain properties be injected at run time. I have Autofaq working properly in that it successfully instantiates the filter and populates the properties. The problem is that I only want this filter to run when it is attached to a particular method as an attribute. However, the filter is being run on every action call even if the action is not decorated by the filter. Normally, I would insure this was not registered as a global filter, but I don't know how to prevent that using Autofac (or even if it can be prevented). Can someone suggest what I may be doing wrong in this situation?
Thanks,
Alex
Alex Meyer-Gleaves
Nov 9, 2011, 10:23:18 AM11/9/11
to aut...@googlegroups.com
Hi Alex,
Your custom attribute should not be treated as a global filter by default. It should only be returned from the filter provider when your AuthorizeAttribute derived attribute is found on the action being invoked. Are you using the MVC 3 integration and the ContainerBuilder.RegisterFilterProvider method to configure filter attribute injection?
Cheers,
Alex.
--
You received this message because you are subscribed to the Google Groups "Autofac" group.
To view this discussion on the web visit https://groups.google.com/d/msg/autofac/-/my0rWo3gMpgJ.
To post to this group, send email to aut...@googlegroups.com.
To unsubscribe from this group, send email to autofac+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/autofac?hl=en.
Alex G.
Nov 9, 2011, 1:19:03 PM11/9/11
to Autofac
It's definitely being called every time. For now I added a work
around that shortcircuits the login within the filter by forcing me to
define a filter with a true value on an authorize property. Here's
the code:
Injection code:
builder.RegisterType<ExtensibleActionInvoker>().As<IActionInvoker>();
builder.RegisterControllers(Assembly.GetExecutingAssembly()).InjectActionInvoker();
// values that are injected as properties on
builder.Register(c => new
NonceStore()).As<INonceStore>().InstancePerHttpRequest();
builder.Register(c => new
TokenManager()).As<IServiceProviderTokenManager>().InstancePerHttpRequest();
// now inject any action filters here.
builder.RegisterType<OAuthFilterAttribute>().As<IAuthorizationFilter>().PropertiesAutowired(PropertyWiringFlags.PreserveSetValues);
builder.RegisterFilterProvider();
Code for my filter:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
public class OAuthFilterAttribute : ActionFilterAttribute,
IAuthorizationFilter
{
public IServiceProviderTokenManager TokenManager { get; set; }
public INonceStore NonceStore { get; set; }
public bool Authorize { get; set; }
public OAuthFilterAttribute()
{
Authorize = false;
}
public void OnAuthorization(AuthorizationContext
filterContext)
{
if (!Authorize)
return;
... go ahead and do stuff
}
}
On Nov 9, 10:23 am, Alex Meyer-Gleaves <alex.meyerglea...@gmail.com>
wrote:
around that shortcircuits the login within the filter by forcing me to
define a filter with a true value on an authorize property. Here's
the code:
Injection code:
builder.RegisterType<ExtensibleActionInvoker>().As<IActionInvoker>();
builder.RegisterControllers(Assembly.GetExecutingAssembly()).InjectActionInvoker();
// values that are injected as properties on
builder.Register(c => new
NonceStore()).As<INonceStore>().InstancePerHttpRequest();
builder.Register(c => new
TokenManager()).As<IServiceProviderTokenManager>().InstancePerHttpRequest();
// now inject any action filters here.
builder.RegisterType<OAuthFilterAttribute>().As<IAuthorizationFilter>().PropertiesAutowired(PropertyWiringFlags.PreserveSetValues);
builder.RegisterFilterProvider();
Code for my filter:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
public class OAuthFilterAttribute : ActionFilterAttribute,
IAuthorizationFilter
{
public IServiceProviderTokenManager TokenManager { get; set; }
public INonceStore NonceStore { get; set; }
public bool Authorize { get; set; }
public OAuthFilterAttribute()
{
Authorize = false;
}
public void OnAuthorization(AuthorizationContext
filterContext)
{
if (!Authorize)
return;
... go ahead and do stuff
}
}
On Nov 9, 10:23 am, Alex Meyer-Gleaves <alex.meyerglea...@gmail.com>
wrote:
> Hi Alex,
>
> Your custom attribute should not be treated as a global filter by default.
> It should only be returned from the filter provider when your
> AuthorizeAttribute derived attribute is found on the action being invoked.
> Are you using the MVC 3 integration and the
> ContainerBuilder.RegisterFilterProvider method to configure filter
> attribute injection?
>
> Cheers,
>
> Alex.
>
>
> Your custom attribute should not be treated as a global filter by default.
> It should only be returned from the filter provider when your
> AuthorizeAttribute derived attribute is found on the action being invoked.
> Are you using the MVC 3 integration and the
> ContainerBuilder.RegisterFilterProvider method to configure filter
> attribute injection?
>
> Cheers,
>
> Alex.
>
Alex Meyer-Gleaves
Nov 9, 2011, 8:34:23 PM11/9/11
to aut...@googlegroups.com
I would recommend that you use the new mechanism for property injection on filter attributes (assuming you are using MVC 3). I believe it is the action invoker that is causing your problem.
You can create an attribute that derives from AuthorizeAttribute and overrides the AuthorizeCore method. This can then be placed onto your action methods. Any services that you want injected into properties should be registered with the container. There is no need to register the attribute itself.
Alex G.
Nov 10, 2011, 12:26:31 AM11/10/11
to Autofac
Thank you. Missed that doc. After following it, everything works
perfectly. RTFM. Sorry.
Alex
On Nov 9, 8:34 pm, Alex Meyer-Gleaves <alex.meyerglea...@gmail.com>
wrote:
perfectly. RTFM. Sorry.
Alex
On Nov 9, 8:34 pm, Alex Meyer-Gleaves <alex.meyerglea...@gmail.com>
wrote:
> I would recommend that you use the new mechanism for property injection on
> filter attributes (assuming you are using MVC 3). I believe it is the
> action invoker that is causing your problem.
>
> http://code.google.com/p/autofac/wiki/Mvc3Integration#Filter_Attribut...
> filter attributes (assuming you are using MVC 3). I believe it is the
> action invoker that is causing your problem.
>
>
> You can create an attribute that derives from AuthorizeAttribute and
> overrides the AuthorizeCore method. This can then be placed onto your
> action methods. Any services that you want injected into properties should
> be registered with the container. There is no need to register the
> attribute itself.
>
> You can create an attribute that derives from AuthorizeAttribute and
> overrides the AuthorizeCore method. This can then be placed onto your
> action methods. Any services that you want injected into properties should
> be registered with the container. There is no need to register the
> attribute itself.
>
Alex G.
Nov 10, 2011, 12:27:52 AM11/10/11
to Autofac
By the way, to also add, I forgot to mention that this app is actually
MVC 4.0 (using the latest released bits). Have not run into any
problems with the current MVC integration yet (other than this issue).
Alex
MVC 4.0 (using the latest released bits). Have not run into any
problems with the current MVC integration yet (other than this issue).
Alex
Reply all
Reply to author
Forward
0 new messages