问题描述
我们最近通过使用存储在Azure Document DB中的凭据来实现自定义AuthorizationFilterAttribute来实现API身份验证. DocDB强制所有内容都使用Async.
We've recently implemented API authentication by implementing a custom AuthorizationFilterAttribute, using credentials stored in Azure Document DB. DocDB mandates everything use Async.
通过实验,我们发现WebApi2同步控制器将使用OnAuthorizationAsync(如果存在)以及OnAuthorization(如果没有异步方法)(如果存在).我们还发现asyc控制器方法可以使用auth方法.但是我不是100%肯定它能正常工作.我们只看到代码确实达到了断点.
Through experimenting we found that WebApi2 synchronous controllers will use the OnAuthorizationAsync if present, and OnAuthorization if no async method. We also found that asyc controller methods can use either auth method. But I'm not 100% sure it is working correctly. We only saw that code did hit breakpoints.
奇怪的是,您也可以覆盖OnAuthorization将其标记为异步
Oddly, you can also override OnAuthorization mark it as async
最后一个方法可以编译并正常执行,但是控制器不会在动作方法开始之前等待auth过滤器完成执行.通常结果是ASP错误:
This last method compiles and executes fine, but the controller will not wait for the auth filter to finish executing before the action method begins. Usually the result is an ASP error:
这种对替代的操作似乎应该是编译错误,不允许这样做.
Seems like this manipulation of the override should have been a compile error and not allowed.
无论如何....关于AuthorizationFilterAttribute有许多谜团,还有一些有关此混淆的文章. Asp.net WebApi中的自定义授权-什么一团糟吗?
Regardless.... There are many mysteries about AuthorizationFilterAttribute and a few other posts exist about the confusion. Custom Authorization in Asp.net WebApi - what a mess?
我的问题是,您如何知道将执行哪个优先级?如果两者都存在于过滤器中,则只会出现一个方法.
My question is how do you know which will execute and in which order of precedence? It does appear if both exist in the filter, only one method is executed.
-
如果控制器动作是异步的,是否必须重写OnAuthorizationAsync方法?
If your controller action is async, must you override the OnAuthorizationAsync method?
如果您的身份验证逻辑中有async等待,并且被迫使用OnAuthorizationAsync(就像我一样),那么这是否意味着我必须将所有控制器动作都更改为现在都是异步控制器动作?
If you have async await in your auth logic, and are forced to use OnAuthorizationAsync (like I am), does this then mean I have to change all my controller actions to now all be async controller actions?
我找不到任何有关异步动作过滤器场景的文档.
I can't find any documentation that lays out scenarios for async action filters.
推荐答案
如果您看一下 AuthorizationFilterAttribute 的源代码,那么您会发现 OnAuthorizationAsync的基本实现是实际调用 OnAuthorization 的人.
If you take a look at the source code of AuthorizationFilterAttribute then you can see that the base implementation of OnAuthorizationAsync is the one actually calling OnAuthorization.
public virtual void OnAuthorization(HttpActionContext actionContext)
{
}
public virtual Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
try
{
OnAuthorization(actionContext);
}
catch (Exception ex)
{
return TaskHelpers.FromError(ex);
}
return TaskHelpers.Completed();
}
如您所见,您实际上可以覆盖所需的任何一种方法,而无需调用基本实现.只需选择一种对您的情况有好处的产品即可-控制器是否异步都没关系.
As you can see, you can actually override either method you want and you don't need to call the base implementation. Just choose the one which makes more since for your scenario - it doesn't matter if the controller is async or not.
关于您将 OnAuthorization 本身标记为异步的问题-代码会进行编译,因为这是C#异步支持的设计方式,但确实会导致调用代码不等待异步部分完成(由于该方法被标记为 async void 而不是 async Task ,它实际上迫不及待.您可以阅读有关 async避免 .
And regarding your question about marking OnAuthorization itself as async - the code compiles since that's the way C# async support is designed, but it indeed causes the calling code to not wait for the async part to complete (it actually can't wait since the method is marked async void and not async Task. You can read more about async avoid here.
这篇关于WebApi2何时使用OnAuthorizationAsync与OnAuthorization的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!