Filters & Middleware in ASP.NET Core

Middleware = pipeline for every request. Filters = pipeline for MVC actions only.

Detailed

60-Second Version: Middleware runs for all requests: logging, auth, static files. Filters run only after routing hits a controller: validate, cache, handle errors. Middleware wraps Filters.

1. Middleware: The Request Pipeline

Configured in Program.cs. Order matters.

var app = builder.Build();

app.UseExceptionHandler("/Home/Error"); // 1. Catch exceptions
app.UseStaticFiles(); // 2. Serve wwwroot files
app.UseRouting(); // 3. Match URL to endpoint
app.UseAuthentication(); // 4. Who are you?
app.UseAuthorization(); // 5. Are you allowed?
app.MapControllerRoute( // 6. Run MVC
    name: "default",
    pattern: "{controller=Home}/{action=Index}/{id?}");

app.Run();

Request goes down. Response comes back up. Each middleware can short-circuit.

2. Filters: MVC-Specific Logic

Attributes on controllers or actions. Run after UseRouting picks an action.

Filter Type	Runs When	Example
`[Authorize]`	Before action	Block guests
`[HttpPost]`	During routing	Only allow POST
`[ValidateAntiForgeryToken]`	Before POST action	Prevent CSRF
`[ResponseCache]`	After action	Cache output 60s
`[ServiceFilter]`	Custom logic	Log to DB

3. Filter Pipeline Order

5 types, run in fixed order:

1. Authorization Filters → [Authorize] Can user run this?
2. Resource Filters → [ResponseCache] Runs before/after all else
3. Action Filters → [ServiceFilter] Runs before/after action method
4. Exception Filters → [HandleError] Catch unhandled exceptions
5. Result Filters → [OutputCache] Runs before/after IActionResult executes

4. Custom Action Filter

public class LogActionFilter : IActionFilter
{
    public void OnActionExecuting(ActionExecutingContext context)
    {
        // Runs BEFORE action
        Console.WriteLine($"Starting {context.ActionDescriptor.DisplayName}");
    }

    public void OnActionExecuted(ActionExecutedContext context)
    {
        // Runs AFTER action
        Console.WriteLine($"Finished with {context.Result}");
    }
}

// Register: builder.Services.AddScoped<LogActionFilter>();
// Use: [ServiceFilter(typeof(LogActionFilter))]
public class ProductController : Controller { }

Beginner Trap: Priya puts app.UseAuthorization(); before app.UseRouting();. Auth fails because routing hasn't set endpoint yet. Order: Exception → StaticFiles → Routing → Auth → Endpoints.

1. Middleware vs Filters: Key Differences

	Middleware	Filters
Scope	All requests: API, MVC, Razor Pages, static files	MVC/Razor Pages only
Access	`HttpContext` only	`HttpContext` + `ActionContext`, `ModelState`
Short-circuit	`await next()` or return	Set `context.Result`
Use case	Logging, CORS, auth, compression	Validation, caching, action-level auth

2. Writing Custom Middleware

Runs for every request. Must call next() or pipeline stops.

public class RequestTimingMiddleware
{
    private readonly RequestDelegate _next;

    public RequestTimingMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var sw = Stopwatch.StartNew();
        await _next(context); // Call next middleware
        sw.Stop();
        Console.WriteLine($"{context.Request.Path} took {sw.ElapsedMilliseconds}ms");
    }
}

// Program.cs
app.UseMiddleware<RequestTimingMiddleware>();

What is RequestDelegate? Function pointer to next middleware. Chain continues.

3. Exception Filter vs Middleware

Middleware: app.UseExceptionHandler("/Error"); Catches all exceptions, even outside MVC.

Filter: [HandleError] Catches only exceptions in action or action filters.

public class CustomExceptionFilter : IExceptionFilter
{
    public void OnException(ExceptionContext context)
    {
        if (context.Exception is DbUpdateException)
        {
            context.Result = new ViewResult { ViewName = "DbError" };
            context.ExceptionHandled = true;
        }
    }
}

4. Resource Filters: Run Before Model Binding

Only filter type that runs before model binding and action filters. Good for caching.

public class CacheResourceFilter : IAsyncResourceFilter
{
    public async Task OnResourceExecutionAsync(
        ResourceExecutingContext context,
        ResourceExecutionDelegate next)
    {
        // Check cache BEFORE binding
        if (_cache.TryGetValue(context.HttpContext.Request.Path, out var cached))
        {
            context.Result = cached; // Short-circuit, skip action
            return;
        }

        var executed = await next(); // Run rest of pipeline

        // Cache result AFTER action
        _cache.Set(context.HttpContext.Request.Path, executed.Result);
    }
}

5. Async Filters & Cancellation

Use async versions for I/O. Check cancellation tokens.

public class AsyncLogFilter : IAsyncActionFilter
{
    public async Task OnActionExecutionAsync(
        ActionExecutingContext context,
        ActionExecutionDelegate next)
    {
        if (context.HttpContext.RequestAborted.IsCancellationRequested)
            return; // Client disconnected

        await _logger.LogAsync("Start");
        await next(); // Run action
        await _logger.LogAsync("End");
    }
}

FAANG Tip: Filter order within same type = global → controller → action. [Authorize] on controller runs before [AllowAnonymous] on action. Result: action still blocked. Use [OverrideAuthorization] or refactor. Also, ResourceFilter runs even if action doesn't exist. Good for 404 logging, bad for ModelState access = null.

Quick Check 🧠

Next: Partial Views & View Components - Reusable UI chunks.

← Views & Razor

Dependency Injection →

Comments on Tag Helpers (0)

No comments yet. Be the first to share your thoughts!

C# Tutorial