AuthorizeAttribute要求您重写OnAuthorization方法，而IAuthorizationFilter要求您实现OnAuthorization方法。在我看来，是一样的事情，还有其他区别吗？为什么一个要比另一个要用？

编辑:
为澄清起见，我试图了解以下两段代码之间的区别。

public class PasswordExpirationCheckAttribute : AuthorizeAttribute
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }

        base.OnAuthorization(filterContext);
    }
}

public class PasswordExpirationCheckAttribute : IAuthorizationFilter
{
    private int _maxPasswordAgeInDays;

    public PasswordExpirationCheckAttribute(int maxPasswordAgeInDays)
    {
        _maxPasswordAgeInDays = maxPasswordAgeInDays;
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!filterContext.ActionDescriptor.GetCustomAttributes(typeof(BypassPasswordExpirationCheckAttribute), true).Any())
        {
            IPrincipal userPrincipal = filterContext.RequestContext.HttpContext.User;
            if (userPrincipal != null && userPrincipal.Identity.IsAuthenticated)
            {
                var userStore = new ApplicationUserStore(new IdentityDb());
                var userManager = new ApplicationUserManager(userStore);
                var user = userManager.FindByNameAsync(filterContext.RequestContext.HttpContext.User.Identity.Name).Result;

                if (user != null)
                {
                    var timeSpan = DateTime.Today.Date - user.LastPasswordChangedDate.Date;
                    if (timeSpan.TotalDays >= _maxPasswordAgeInDays)
                    {
                        HttpContextBase httpContextBase = new HttpContextWrapper(HttpContext.Current);
                        RequestContext requestContext = new RequestContext(httpContextBase, new RouteData());
                        UrlHelper urlHelper = new UrlHelper(requestContext);

                        filterContext.HttpContext.Response.Redirect(urlHelper.Action("ChangePassword", "Manage"));
                    }
                }
            }
        }

        return;
    }
}

IAuthorizationFilter只是一个接口(interface)。它什么也没做。如果要使用它，则必须实现自己的授权属性，该属性从头开始实现该接口(interface)。

另一方面，AuthorizeAttribute开箱即用。它实现了IAuthorizationFilter并已经满足了开发人员的共同需求。如果您想扩展它的功能，它仍然允许您重写OnAuthorization方法，但是您不必这样做，因为如果不这样做，它就可以正常工作。