如果我希望使用ASP.NET MVC4创建ApiKey受限资源，我应该使用IAuthorizationFilter吗？

所以我不确定我是应该实现IAuthorizationFilter还是实现IActionFilter甚至是其他东西。

您应该实现IAuthorizationFilter ：

 public class MyAuthorizeAttribute: FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { var key = filterContext.HttpContext.Request.QueryString["param_name"]; if (!IsValid(key)) { // Unauthorized! filterContext.Result = new HttpUnauthorizedResult(); } } private bool IsValid(string key) { // You know what to do here => go hit your RavenDb // and perform the necessary checks throw new NotImplementedException(); } } 

如果您想在自定义操作filter中使用依赖项注入，可以查看following article ，您可以在其中实现自定义filter提供程序（ IFilterProvider ）。 您可以在控制器操作上使用标记属性，然后让此自定义filter提供程序只查看操作是否使用此标记属性进行修饰并应用自定义授权filter。

例如：

 public class MyAuthorizeAttribute: Attribute { } 

并且您的授权filter只会实现IAuthorizationFilter ，它不会是FilterAttribute ：

 public class MyAuthorizationFilter: IAuthorizationFilter { private readonly ISomeRepository repository; public class MyAuthorizationFilter(ISomeRepository repository) { this.repository = repository; } public void OnAuthorization(AuthorizationContext filterContext) { var key = filterContext.HttpContext.Request.QueryString["param_name"]; if (!IsValid(key)) { // Unauthorized! filterContext.Result = new HttpUnauthorizedResult(); } } private bool IsValid(string key) { // You know what to do here => go hit your RavenDb // and perform the necessary checks throw new NotImplementedException(); } } 

然后你将拥有自定义filter提供程序：

 public class MyFilterProvider : IFilterProvider { public IEnumerable GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor) { if (actionDescriptor.GetCustomAttributes(typeof(MyAuthorizeAttribute), true).Any()) { var filter = DependencyResolver.Current.GetService(); yield return new Filter(filter, FilterScope.Global); } yield break; } } 

将在您的Application_Start注册：

 FilterProviders.Providers.Add(new MyFilterProvider());