Filters In ASP.NET MVC

About This Article
This article will tell you almost everything about filters used on action methods as well as on controllers in ASP.NET MVC. I am writing this article to tell you the basic to advanced foremost concepts about filters.

Last week one of my friends asked the question “How can I restrict the users to use my resources on the website?” I am dedicating this article to him. I hope he will like this.
The topics to be covered are,

• What are the Filters?
• Types of filters
• Authorization filters
• Action filters
• Result filters
• Exception filters
• Order of Filters
• Create a custom Filter in ASP.NET MVC?
• Filters provided in ASP.NET MVC

The question is how to restrict the user to stop the usage of website resources. So this can be done using Filters in ASP.NET MVC.
Let’s get started with Filters.
Introduction and Background
Filters are used to inject extra processing logic in the MVC request-response pipeline. You have seen in my previous article in the section of “Pipeline in MVC”, the HTTP request comes to “Routing” then goes to “Controller Initialization” then “Action Execution” and the “Result Execution” comes into action to render the view.
Now, if you want to inject some extra processing logic in between this request-response life cycle you have to use Filters or custom filters.
What are the filters?
Action filters are the attributes that can be applied on action method level, on controller level or application level. When these filters are applied on controller level then they will apply to all the actions within the controller.
Filters allow us to add pre-processing and post-processing logic to an action or controller. From this filter, the flow of the application can be changed. You can put this filter by decorating the attribute above the action method or controller. This will call the class of that attribute in which the whole logic is written.
Types of filters
There are the following types of action filters,

Filter Type	Interface	Description
Authentication	IAuthenticationFilter	Always runs, before any action method or any other filter.
Authorization	IAuthorizationFilter	These run first, before the action method or any other filters.
Action	IActionFilter	These run before and after the action method.
Result	IResultFilter	Runs before and after the action result is executed.
Exception	IExceptionFilter	Runs only if another filter, the action method, or the action result throws an exception.

Now let’s understand each filter with examples. (Examples are given in “Filters provided in ASP.NET MVC” section)
Authorization filters
These filters are useful for implementing the logic of authentication and authorization. This will allow us to execute the action method when we want. This filter implements the IAuthorizationFilter. The examples of authorization filters are AuthorizeAttribute and RequireHttpsAttribute.
Action filters
This filter contains the pre-processing and post-processing logic which can be applied to the action method of the controller or to the entire controller. This filter is executed before and after the action method of the controller executes.
This filter implements the IActionFilter interface. And this interface contains two methods, OnActionExecuting and OnActionExecuted which will be called before and after the action method gets executed respectively. This filter allows us to add some additional processing, for example, modifying the view data that an action method of controller returns or canceling the execution of the action method of the controller.
 Result filters
To use this filter, we have to implement the IResultFilter interface, and this interface contains two methods, OnResultExecuting and OnResultExecuted which will run before and after a view result is executed respectively. This filter allows us to modify the HTTP response, which means to modify the view result before the view is rendered to the browser. The OutputCacheAttribute class is an example of a result filter.
Exception Filter
The filter will execute when a controller or action method of the controller throws an unhandled exception. These filters implement the IExceptionFilter interface and can be used to log errors or to display the specific error page. The HandleErrorAttribute class is an example of the exception filter.
Note
The base class for all the action filters is the System.Web.Mvc.FilterAttribute class. Now, if you want to make your own custom type of filter, then you have to create a class that inherits the base filter class and then you have to implement one or more interfaces of the above-explained filters. See figure below, in which the interfaces of each filter is shown.

Filter Type	Interface
Authentication Filter	IAuthenticationFilter
Authorization Filter	IAuthorizationFilter
Action Filter	IActionFilter
Result Filter	IResultFilter
Exception Filter	IExceptionFilter

We’ll see how to create the custom filter later in this article. First look at the order of these filters in which they will execute.
Order of filters
You have read the above five filters and their corresponding interfaces with their methods. The list is as follows,

Now, suppose that we are using all the above filters on one action method, then what will be the order of its execution. So the order will be as follows,

As we know if the exception occurred in the application then application returns an exception instead of returning the result view. So for Exception filter, if the exception has occurred then the IExceptionFilter.OnException will be called instead of Result Filters (IResultFilter.OnResultExecuting and IResultFilter.OnResultExecuted).
Custom Filter in ASP.NET MVC
Now, let’s create the custom authentication filter which will redirect the user back to the login page if the user is not authenticated.
Create the project in the way shown below,

Select MVC then click OK.

Build and run your application simply and you will prompt the following page on the browser which will call from the Index action method of the HomeController. You can see this page is not prompted to the login page. But when we will make authentication filter and will apply on HomeController then we’ll redirect to login page.

Now, make a folder with the name of AuthenticationFolder in the project.

Then make a class with the name of AuthAttribute and inherit it from IAuthenticationFilter and IActionFilter. You can see below the look and feel of IAuthenticationFilter interface in which two methods OnAuthentication and OnAuthenticationChallenge are declared. The purpose of OnAuthentication is to be executed first and to perform needed authentication logic.

The purpose of OnAuthenticationChallenge is to restrict access of the user if the user is not authenticated. So in AuthAttribute class, you have to implement these methods. The logic to authenticate a user and to restrict user’s access is written in the following code.

1. using System.Web.Mvc;  
2. using System.Web.Mvc.Filters;  
3.    
4. namespace FiltersInMvc.AuthenticationFolder  
5. {  
6.     public class AuthAttribute : ActionFilterAttribute , IAuthenticationFilter  
7.     {  
8.         private bool _auth;  
9.    
10.         public void OnAuthentication(AuthenticationContext filterContext)  
11.         {  
12.             //Logic for making a user authenticate  
13.             _auth = (filterContext.ActionDescriptor.GetCustomAttributes(  
14.                 typeof(OverrideAuthenticationAttribute), true).Length == 0);  
15.         }  
16.    
17.         public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)  
18.         {  
19.             var user = filterContext.HttpContext.User;  
20.    
21.             if (user == null || !user.Identity.IsAuthenticated)  
22.             {  
23.                 filterContext.Result = new HttpUnauthorizedResult();  
24.             }  
25.         }  
26.     }  
27. }  

Now, we’ll apply this filter on the HomeController. So go to HomeController.cs class and decorate the controller with Auth attribute as shown in the figure below.

1. using FiltersInMvc.AuthenticationFolder;  
2. using System.Web.Mvc;  
3.    
4. namespace FiltersInMvc.Controllers  
5. {  
6.    
7.     public class HomeController : Controller  
8.     {  
9.         [Auth]  
10.         public ActionResult Index()  
11.         {  
12.             return View();  
13.         }  
14.    
15.         public ActionResult About()  
16.         {  
17.             ViewBag.Message = "Your application description page.";  
18.    
19.             return View();  
20.         }  
21.    
22.         public ActionResult Contact()  
23.         {  
24.             ViewBag.Message = "Your contact page.";  
25.    
26.             return View();  
27.         }  
28.     }  
29. }  

Now, simply build and run the application and you will prompt to the login page instead of a home page, as shown in the figure below.

Now I’ll register myself with my supposed credentials.

And then I’ll log in with the same credentials.

When you click on your Name then you will redirect to Manage controller in which you can manage your account setting such as change password etc. See figure below,

Authorization Filter
Now, I am going to apply authorization filter in this sampled application. These filters are used to enforce authorization policy in which the action method can only be invoked by approved or authenticated users. As you know, these filters are run before the action method is invoked and these implement the IAuthorizationFilter interface. The look and feel of IAuthorizationFilter interface is as follows;

1. namespace System.Web.Mvc  
2. {  
3.   /// <summary>Defines the methods that are required for an authorization filter.</summary>  
4.   public interface IAuthorizationFilter  
5.   {  
6.     /// <summary>Called when authorization is required.</summary>  
7.     /// <param name="filterContext">The filter context.</param>  
8.     void OnAuthorization(AuthorizationContext filterContext);  
9.   }  
10. }  

Now, let’s make a class with the name of AuthZAttribute to apply authorization policy. For authorization, you have to inherit the AuthAttribute class to AuthorizeAttribute. In this example, I’ll use the built in feature of Authorize attribute. For this, you have to override the AuthorizeCore (HttpContextBase httpContext) method from the AuthorizeAttribute class. The look and feel of AuthorizeCore method is as follows,

1. /// <summary>When overridden, provides an entry point for custom authorization checks.</summary>  
2.    /// <returns>true if the user is authorized; otherwise, false.</returns>  
3.    /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>  
4.    /// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext" /> parameter is null.</exception>  
5.    protected virtual bool AuthorizeCore(HttpContextBase httpContext);  

So you can see in the comments, the purpose to this method is to return true if the user is authorized; otherwise  false. So it will provide us authorization logic and we’ll override it shortly. Let’s  write some code in AuthZAttribute. The code is as follows,

1. using System.Web;  
2. using System.Web.Mvc;  
3.    
4. namespace FiltersInMvc.AuthenticationFolder  
5. {  
6.     public class AuthZAttribute : AuthorizeAttribute  
7.     {  
8.         private readonly bool _localReq;  
9.    
10.         public AuthZAttribute(bool reqReq)  
11.         {  
12.             _localReq = reqReq;  
13.         }  
14.    
15.         protected override bool AuthorizeCore(HttpContextBase httpContext)  nbsp;
16.         {  
17.             if (httpContext.Request.IsLocal)  
18.             {  
19.                 return _localReq;  
20.             }  
21.             else  
22.             {  
23.                 return true;  
24.             }  
25.         }  
26.     }  
27. }  

You can see above we are using constructor AuthZAttribute (bool allowedReq), which takes bool value indicating whether the local requests are permitted by taking advantage of the built-in feature of the authorization attribute base class, I only want to show the basic logic of authorization. Now it’s time to implement this attribute to action methods of the controller. Open the HomeController and decorate the Index action method with this Authorize Attribute. The code is given below,

1. using System.Web.Mvc;  
2.    
3. namespace FiltersInMvc.Controllers  
4. {  
5.       
6.     public class HomeController : Controller  
7.     {  
8.         [Authorize]  
9.         public ActionResult Index()  
10.         {  
11.             return View();  
12.         }  
13.    
14.         public ActionResult About()  
15.         {  
16.             ViewBag.Message = "This is the article by Zain.";  
17.    
18.             return View();  
19.         }  
20.    
21.         public ActionResult Contact()  
22.         {  
23.             ViewBag.Message = "Your contact page.";  
24.    
25.             return View();  
26.         }  
27.     }  
28. }  

 Now you can simply build and then run the application and you will see the following output in the browser. You will prompt to the login page because you are not an authenticated user. It is because of Authorize attribute.

As I have registered myself with my credentials so there is no need to register again. I will log in with credentials.

Now, you can see in the figure below, I am logged in.

As you can see, I am logged in and can access the About and Contact page without any need to give login credentials.
Now, put Authorize attribute to About action method, as shown below,

Now, build and run the application, you’ll see the following output in the browser.

But when you click on About link, then the application will redirect your browser to log in page. Because About page can only be used by authenticated users. See the picture below,

Now, I’ll write my email and password to access the About page, as shown below,

You can see below, I am redirected to the About page successfully.

Hence you have seen the basic functionality of Authentication and Authorization. One more feature of authorization is, you can specify specific users to access any action method, decorated with Authorize attribute.
I am decorating Contact action method with Authorize attribute and specifying the user’s email as “zainshah@outlook.com” so my previous email would not work at all. Let’s see the code.

1. using System.Web.Mvc;  
2.    
3. namespace FiltersInMvc.Controllers  
4. {  
5.       
6.     public class HomeController : Controller  
7.     {  
8.         //[Authorize]  
9.         public ActionResult Index()  
10.         {  
11.             return View();  
12.         }  
13.    
14.         [Authorize(Users="syedzain@outlook.com")]  
15.         public ActionResult About()  
16.         {  
17.             ViewBag.Message = "This is the article by Zain.";  
18.    
19.             return View();  
20.         }  
21.    
22.         [Authorize(Users="zainshah@outlook.com")]  
23.         public ActionResult Contact()  
24.         {  
25.             ViewBag.Message = "Your contact page.";  
26.    
27.             return View();  
28.         }  
29.     }  
30. }  

Now, build and run the application. You can see below, my old credentials are logged in. I am able to access the About page, as shown below,

But when I click on Contact link, I can’t access Contact page, because I am not an authenticated user with the email “zainshah@outlook.com”. I will redirect to the log in page, as shown below.

Now, I’ll register myself with new email and password. Email should be “zainshah@outlook.com” to access Contact page.

Now click on Register, and you will automatically prompt to the index page. So click on the Contact page, and you’ll successfully access it, as shown below,

But now if you click on About page, you should be prompted log in page, because you are not authenticated with email as “syedzain@outlook.com”. About can only be accessed with this email Id. You can see the login page below while logged in as “zainshah@outlook.com”.

Hence this is all about authentication and authorization. Now we’ll look at some filters provide in ASP.NET MVC, each with an example. So let’s move towards it.
Filters provided in ASP.NET MVC
ASP.NET MVC provide us with some filters that can be implemented as attributes. And these are applicable at the level of action method, the controller or the whole application.

1. AuthorizeAttribute
2. HandleErrorAttribute
3. OutputCacheAttribute
4. RequireHttpsAttribute

AuthorizeAttribute
This filter is used to restrict access by authentication and authorization. In other words, this is an attribute that can be used to restrict access to the action methods of the controller by callers.
Syntax

1. namespace System.Web.Mvc  
2. {  
3.   /// <summary>Specifies that access to a controller or action method is restricted to users who meet the authorization requirement.</summary>  
4.   [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]  
5.   public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter  
6.   {  
7.     //Some code here.   
8.   }  
9. }  

As you know, almost every website requires users to log in before to use the restricted content of the website. But in some web applications, even when the user is logged in we want to restrict the users to view or modify some specific content. To accomplish this task, you have to use the AuthorizeAttribute class. So when you mark an action method with the AuthorizeAttribute then the access to that action method is restricted to users who are both authenticated and authorized. When the controller is decorated with this attribute then all the action methods of the controller are restricted.
When an unauthorized user tries to access the action method of the controller which is decorated with AuthorizeAttribute, then the user gets 401 HTTP status code. But if ASP.NET forms authentication is set in the website then 401 status code causes the browser to redirect the user to the login page.
Example
We have already seen the example of AuthorizeAttribute used in authorization section above. Here you will just see the sampled example and its result (without proper images of outputs).
Below you can see the example in which there is a controller (HomeController) who has total 5 action methods in which three methods are decorated with Authorize attribute and two methods are not decorated with an attribute.

1. public class HomeController: Controller  
2.  {  
3.      public ActionResult Index()  
4.      {  
5.          ViewData["Message"] = "This is Zain’s article!";  
6.   
7.          return View();  
8.      }  
9.   
10.      public ActionResult About()  
11.      {  
12.          return View();  
13.      }  
14.   
15.      [Authorize]  
16.      public ActionResult AuthenticatedUsers()  
17.      {  
18.          return View();  
19.      }  
20.   
21.      [Authorize(Roles = "Admin, Super User")]  
22.      public ActionResult AdministratorsOnly()  
23.      {  
24.          return View();  
25.      }  
26.   
27.      [Authorize(Users = "Zain@outlook.com, syed@outlook.com")]  
28.      public ActionResult SpecificUserOnly()  
29.      {  
30.          return View();  
31.      }  
32.  }  

The first two action methods, Index and About, can be accessed by anyone, even the anonymous users. The AuthenticatedUsers action method can only be accessed by the users who are properly logged in. The AdministratorsOnly action method can only be accessed to those users who have either the role Admin or Super User. And the SpecificUser action method can only be accessed to those users who have either the name of “zain@outlook.com” or “syed@outlook.com”.
HandleErrorAttribute
This filter is used to handle an exception thrown by an action method. Let’s move to see its syntax.
Syntax

1. namespace System.Web.Mvc  
2. {  
3.   /// <summary>Represents an attribute that is used to handle an exception that is thrown by an action method.</summary>  
4.   [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]  
5.   public class HandleErrorAttribute : FilterAttribute, IExceptionFilter  
6.   {  
7.     //Some code here  
8.   }  
9. }  

After decorating this attribute to an action method, when the action method throws an exception, MVC displays the error view, which is located in ~/View/Shared folder. There are following properties of HandleErrorAttribute, which are given below,

• ExceptionType
  Specifies the type of exception that is handled by the filter. The return type of this property is Type, which means it returns the type of exception that occurred. We can modify its default behavior.
• Master
  This property gets or sets the master view for displaying exception information. The return type of this property is a string so that it can display exception information.
• TypeId
  This property is used to get the unique identifier for the HandleErrorAttribute. We can’t modify or set the value for this property.
• ViewThis property is used to get or set the page view for displaying exception information. We can set the view page name for this attribute. As we know when the action method throws an exception, MVC displays an Error view in a Shared folder located in View folder. MVC framework sends information of exception in the ViewDictionary object. And the Model property of this view is set to an instance of the ExceptionContext class. The ViewData dictionary contains the values for the keys:

• ActionName - The intended action method who throws an exception.
• ControllerName - The intended controller in which the action method throws an exception.
• Exception - The exception object was thrown by the action method of the controller.

Example
To use HandleErrorAttribute, let’s some change in the project FiltersInMvc. Follow the steps given below:
Step 1

Add an action method with the name of CustomException in the HomeController

1. public ActionResult CustomException()  
2.        {  
3.            throw new Exception("Something went wrong!");  
4.        }  

Step 2

Go to Shared folder, then open _Layout.cshtml and add the following line of code for the navigation bar.

1. <li>@Html.ActionLink("Custom Exception", "CustomException", "Home")</li>  

You can see the code below:
Code of HomeController is as follows,

1. using System;  
2. using System.Web.Mvc;  
3.    
4. namespace FiltersInMvc.Controllers  
5. {  
6.     public class HomeController : Controller  
7.     {  
8.         public ActionResult Index()  
9.         {  
10.             return View();  
11.         }  
12.    
13.         [Authorize(Users="syedzain@outlook.com")]  
14.         public ActionResult About()  
15.         {  
16.             ViewBag.Message = "This is the article by Zain.";  
17.    
18.             return View();  
19.         }  
20.    
21.         [Authorize(Users="zainshah@outlook.com")]  
22.         public ActionResult Contact()  
23.         {  
24.             ViewBag.Message = "Your contact page.";  
25.    
26.             return View();  
27.         }  
28.    
29.         public ActionResult CustomException()  
30.         {  
31.             throw new Exception("Something went wrong!");  
32.         }  
33.     }  
34. }  

And you should add this piece of code into _Layout.cshtml file in the Shared folder is as follows,

1. <li>@Html.ActionLink("Custom Exception", "CustomException", "Home")</li>

The output of the above line shows the Customer Exception in the navigation bar, as shown below,

Now let’s build and run the application, and go to the /Home/CustomException URL, as shown below,

So when you will call the CustomException action method, you can see the above output has an exception.
But the problem with the output here is, it has the code of the application, which can be helpful for a hacker. So we can display any friendly error page. This can be done in two ways,

• Go to Web.config file of the root directory, then go to system.web section and place the following element in that section,

1. <customErrors mode="On"></customErrors>  

• Place user-friendly text in the Error.cshtml file in Shared You can see below the screenshot of code,

• Now simply build and run the application, go to /Home/CustomException URL then you should see the output given below,

Question - I didn’t use HandleError attribute yet, then how did all this work?
Answer

Look, this is all due to HandleError attribute which is already added to the GlobalFilters collection in global.asax file. When a filter is added to the GlobalFilters collection, then it is applicable to all the controllers and their action methods in the entire application. You can see the code below,

If we put the cursor on FilterConfig and select “Go to definition” option, then you can see the below code,

As you can see, HandleErrorAttribute is already added to the filters collection. So it is already applied to all the controllers and their action methods.
Now if we comment on this line of code, then what happened?

Now, if you build and run the application, and go to /Home/CustomException URL, you should see the following runtime error,

Now, if you want to again handle the error, then you have to decorate the action method with HandleErrorAttribute.

1. [HandleError]  
2.        public ActionResult CustomException()  
3.        {  
4.            throw new Exception("Something went wrong!");  
5.        }  

Now you should see the following output in the browser,

Hence, you have seen the use of the HandleError attribute. You can apply it to controller level if more than one action method of your controller has thrown an exception.
OutputCacheAttribute
This filter is used to decorate an action method of a controller whose output will be cached.
Syntax

1. [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]  
2.  public class OutputCacheAttribute : ActionFilterAttribute, IExceptionFilter  
3. {  
4.     //Some code here  
5. }  

OutputCacheAttribute is used to store the output of an action method in memory on the web server. For example, if the action method renders a view, that view page will be cached. This cached page will available to the HTTP requests for some specified time. This can be helpful in saving the time and resources it would take to re-create the result of that action method. Now we are going to take a simple example in which the output of the Test action method of the HomeController will be cached for 10 seconds. There will be a tab for Test action method in the navigation bar, so when you repeatedly click on the tab, you can see that the page stays cached for 10 seconds.
To use OutputCacheAttribute, let’s some change in the project FiltersInMvc. Follow the steps given below:
Step 1

Add an action method with the name of Test in the HomeController

1. [OutputCache(Duration = 10)]  
2.        public ActionResult Test()  
3.        {  
4.            ViewData["Message"] = "This page was cached at " + DateTime.Now;  
5.   
6.            return View();  
7.        }  

Step 2

Go to Shared folder, then open _Layout.cshtml and add the following line of code for the navigation bar.

1. <li>@Html.ActionLink("Test OutputCacheAttribute", "Test", "Home")</li>  

Step 3

Add the View with the name of Test. Code of Test view is as follows,

1. @{  
2.     ViewBag.Title = "Output";  
3. }  
4.    
5. <h2>Output</h2>  
6.    
7. <p>  
8.     @Html.Encode(ViewData["Message"])  
9. </p>  

Output

Simply build and run the application. You should see the below output.



When you repeatedly click within 10 seconds, then you will not see any change in the time. But after 10 seconds you can see the change in time. Hence in his fashion, you can store the output of an action method for the specified time.
RequireHttpsAttribute
RequireHttpsAttribute is used to force an un-secured HTTP request to be re-sent over HTTPS.
To use RequireHttpsAttribute, let’s some change in the project FiltersInMvc. Follow the steps given below:
Step 1

Add an action method with the name of Force in the HomeController

1. public string Force()  
2. {  
3.     return @"This method 'Force' should be accessed only using HTTPS protocol.";  
4. }  

When you build and run the application through this URL http://localhost:50491/Home/Force, you should see the following output,

But when we applied RequireHttps attribute to the Force action method, as shown below in code, then we can’t browse it with HTTP protocol. If we try to browse it with HTTP then it will be redirected to HTTPS URL.

1. [RequireHttps]  
2.        public string Force()  
3.        {  
4.            return @"This method 'Force' should be accessed only using HTTPS protocol.";  
5.        }  

Now, build and reload the browser, you can see the change in URL, the protocol is changed from HTTP to HTTPS. So, [RequireHttps] attribute, forces an HTTP request to be re-sent over HTTPS.

RequireHttps attribute can be applied on controller level, in this case, it will apply to all the action methods in that controller.
Conclusion
I hope this article has helped you in understanding all the concepts about filters. If you have any query then feel free to contact me in the comments section. Also, give feedback, either positive or negative, it will help me to make my articles better and increase my enthusiasm to share my knowledge.