When we create an attribute of type AuthorizeAttribute
We have these 2 properties to be overwritten.
What's the difference between the two? Both seem to have the same function
[Edit]
The namespace of the cited attribute is System.Web.Mvc.AuthorizeAttribute
Succinctly:
AuthorizeCore . OnAuthorization . Basically, OnAuthorization checks whether the / action / controller has the AllowAnonymousAttribute attribute. If you have the attribute, authentication is not required. If you do not have the attribute, then call AuthorizeCore to determine if the request is authorized.
After running AuthorizeCore , OnAuthorization defines how to respond to unauthorized requests.
PS: The source code of the two methods can be found in GitHub .
AuthorizeCore It is the method that effectively makes the decision whether or not the user is authorized to access a particular context. Here you are given roles , the normal rules, the special rules, and so on. Return is just a Boolean.
OnAuthorization This is a method that performs additional actions that have to do with verifying the authorization itself, but it is not exactly the verification of the authorization. For example, put conditions to check whether the authorization check itself should be done or not.
Unlike AuthorizeCore , does not return result ( void ). The difference between them is basically in the utility scope of each.