在AuthorizeAttribute和Controller之间传递对象

Question

To authorize a GET request for an item by Id, I query for the item in a custom AuthorizeAttribute to verify the authenticated user has access. To prevent duplicating the query in the ApiController action, I want to pass the object from the AuthorizeAttribute to the action.

Since the AuthorizeAttribute is called in the pipeline before the ActionArgument binders have run, I cannot pass the object via HttpActionContext.ActionArguments . I am also wary of serializing it into a querystring and potentially running up against the length limit.

One option for passing the item is stashing it in HttpContext.Current.Items and casting it upon retrieval in the action. I have read that this will work even in asynchronous actions, but there seems to be considerable advice against using the Items dictionary.

Should I simply re-query for the item in the action? Is using the Items dictionary appropriate? Is it appropriate to use an ActionFilterAttribute for this purpose to allow for access to HttpActionContext.ActionArguments even though I am using it for authorization? Is there another vector that I have overlooked?

Answer 1

Use Properties dictionary of HttpRequestMessage . http://msdn.microsoft.com/en-us/library/system.net.http.httprequestmessage.properties(v=vs.110).aspx

Answer 2

I use this code

 protected override bool AuthorizeCore(System.Web.Http.Controllers.HttpActionContext actionContext)
            {
                BaseApiController baseApi = actionContext.ControllerContext.Controller as BaseApiController;
                baseApi.Property = 10;
            }