asp.net mvc - Specifying action filter at the controller level Versus at the action method level, which will run first -

asp.net mvc - Specifying action filter at the controller level Versus at the action method level, which will run first -

when create asp.net mvc 5 web project, check business relationship controller , find next code:-

[authorize] public class accountcontroller : controller { public accountcontroller() : this(new usermanager<applicationuser>(new userstore<applicationuser>(new applicationdbcontext()))) { } // get: /account/login [allowanonymous] public actionresult login(string returnurl) { viewbag.returnurl = returnurl; homecoming view(); }

where specify [authorize] @ controller level, , [allowanonymous] @ action method level. thought asp.net mvc check first action filters @ controller level , if successed processed action method call. seems not situation, because anonymous users can phone call login action method, although [authorize] specified @ controller level ? scenario here?

thanks

you can start having @ authorize attribute source code understand how works: http://aspnetwebstack.codeplex.com/sourcecontrol/latest#src/system.web.mvc/authorizeattribute.cs

have closer @ onauthorization method: see looks allowanonymous attribute on action or controller , skip authorization if find any.

bool skipauthorization = filtercontext.actiondescriptor.isdefined(typeof(allowanonymousattribute), inherit: true) || filtercontext.actiondescriptor.controllerdescriptor.isdefined(typeof(allowanonymousattribute), inherit: true); if (skipauthorization) { return; }

asp.net-mvc asp.net-mvc-4 asp.net-mvc-5 action-filter