There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
Why can't you create custom authorization or exception filters?
I was really surprised to discover that AuthorizeFilterAttribute and HandleErrorAttribute are both sealed. It seems strange because the framework only recognises authorization and exception filters when they're of this type (it's not enough just to implement
IExceptionFilter or IAuthorizationFilter).
Is the idea that nobody will ever need a custom one, or are folks supposed to implement authorization and exception handling using normal action filters (i.e. derived from ActionFilterAttribute)? If it's the latter, that loses the semantics of special auth
filters (that always run before other attributes, regardless of ordering) and special exception filters (that catch what other filters fail to catch, regardless of ordering).
Right now the only way around this is to implement a custom ControllerActionInvoker and override GetFiltersForActionMethod() so that you pick up arbitrary IExceptionFilters and IAuthorizationFilters, which seems unnecessarily advanced.