注意区分认证和授权:
The following are the differences in short:
- Authentication(认证): It is a process of verification that verifies “Who you are” (it confirms that you are a valid (or invalid) user).
- Authorization(授权): It is a process of verification that verifies “What to do” (It confirms you are permissible to do (or not to do) that).
另外在mvc中的认证过滤器总是优先与授权过滤器
Authentication filters are applied prior to any Authorization filters.
MVC中针对授权IAuthorizationFilter提供了默认实现,即AuthorizeAttribute,没有针对IAuthenticationFilter的默认实现。
接口IAuthenticationFilter的OnAuthentication()方法可以用于执行任何需要的身份验证,而OnAuthenticationChallenge方法基于已验证用户的身份限制其访问。
The OnAuthentication method is executed first and can be used to perform any needed authentication. The OnAuthenticationChallenge method is used to restrict access based upon the authenticated user's principal.
//IAuthenticationFilter提供两个方法 public void OnAuthentication(AuthenticationContext filterContext){} public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext){} //注意方法内,如果filterContext.Result进行了赋值(ActionResult),那么针对整个“AuthenticationFilter链”的执行将会立即中止,指定的这个ActionResult对象将用于响应当前请求。
如果在执行过程中对AuthenticationContext.Principal属性进行了赋值(IPrincipal),该属性值将会作为当前HttpContext和当前线程的Principal
AuthenticationFilter执行链图示