You are currently viewing Thoughts about Custom Filters in .NET Core Web API
.NET Core Web API - Custom Filters

Thoughts about Custom Filters in .NET Core Web API

In previous post, we discussed about filter pipeline processes the requests. We also have seen different types of filters and when they are invoked. In this article, let’s have a look at how to create custom filters.

Authorization Filters

A filter that implements IAuthorizationFilter is an authorization filter. This filter has only one method OnAuthorization which checks if the access should be allowed. RequireHttpsAttribute is one of the example of authorization filter.

If an application have any custom needs, documentation suggests to configure authorization policies. If in-built authorization policy is not sufficient, then custom authorization policies can be created. Overall, authorization policies should be preferred instead of creating a custom authorization filter.

Resource Filters

As discussed in previous post, resource filters wraps most of the filter pipeline. Hence it might be good place for adding extra checks to see if rest of the filter pipeline should be executed. It can set the result for incoming request, thus short circuiting the filter pipeline.

A custom resource filter can be created by implementing any one of the two interfaces:

These interfaces provide two methods – one which gets before and the other which gets executed after the remaining filter pipeline.

DisableFormValueModelBindingAttribute is one of the example of how to implement a custom resource filter.

Action Filters

An action filter surrounds the action execution. A custom action filter can be created by implementing any one of the below interfaces:

These interfaces provide two methods – one runs just before action execution and other runs just after the action execution.

OnActionExecuting method gets ActionExecutingContext as parameter, which provides access to:

  • Action Arguments, can be used to read the input parameters of the action
  • Controller, can be used to manipulate the controller instance
  • Result, setting result property cause short-circuiting the filter pipeline if next delegate is not called.

OnActionExecuted method gets ActionExecutedContext as parameter, which provides access to:

  • Controller, can be used to manipulate the controller instance
  • Result, setting result property cause short-circuiting the filter pipeline if next delegate is not called.
  • Canceled, it is true if the action execution was short-circuited by another filter.
  • Exception, this property is not null and has some exception assigned if previously executed action filter has thrown an exception. If it is set to NULL, it conveys that exception was handled and result is executed as if result was returned by action.

Instead of implementing the interface, framework provides an abstract class – ActionFilterAttribute – which can be extended further as per needs of an application.

Exception Filters

Exception filters are executed after action’s execution (after execution of Action filters).

A filter that implements either IExceptionFilter or IAsyncExceptionFilter interface. It might be one way to apply common exception handling policy to whole or some parts of an application.

Unlike other filters, exception filters do not have before and after methods. There is only one method provided by exception filters – either OnException or OnExceptionAsync based on which interface you are using.

Generally, as per documentation, it is better to use exception handling middleware instead of creating a custom exception filter. I already have discussed this in one of my previous blog posts.

Result Filters

When an API action is executed it produces some result. This result is then executed. Result execution basically writes results to the response. Result filters wrap the result execution. Each result filter has two methods – one which is executed before and other executed after the result execution.

There are two ways to implement a result filter.

IResultFilter or IAsyncResultFilter

If a filter implements one of the two interfaces, it is a result filter. These types of result filters are not executed if authorization filter short-circuits the pipeline. Also, if an exception filter handles the exception and produces some result, then also these types of result filters are not executed.

IAlwaysRunResultFilter or IAsyncAlwaysRunResultFilter

A result filter can also be created from these two interfaces. These types of result filters, as the interface name suggests, are always executed. They are applied to all the results including results produced by authorization filters short-circuiting and exception handling filters.

Extending Implementation

There are also some abstract classes which can be extended further to add application specific logic.

I hope you find this information useful. Let me know your thoughts.

Leave a Reply