The new global filters in MVC3 are a nice way to apply behavior globally. Sometimes though you'll want to opt out an action or controller from that behavior. Lets take authentication as an example; we want everything to be secure by default but we may have individual controllers or actions that will be public. The following authorize attribute enables us to create a global filter and then override the global behavior where we need to:

// Make sure we specify that this attribute should only be specified once.
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class SecureAttribute : AuthorizeAttribute
{
    private readonly bool _enabled;

    // Default constructor with security enabled, used as a global filter
    public SecureAttribute()
    {
        _enabled = true;
    }

    // Attribute constructor
    public SecureAttribute(bool enabled)
    {
        _enabled = enabled;
    }

    protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
    {
        return !_enabled || AuthenticationService.Authenticate();
    }
}

A few things to note. First we need to specify that this attribute should only be applied once with the AttributeUsageAttribute. Under the covers the FilterAttribute class looks for this attribute to determine if multiple instances of the filter can exist. In the default constructor we specify the default behavior; in this case security being enabled. In our authorization method we can check to see if authentication is enabled and proceed accordingly.

Here we can register the global default. This filter will have a scope of "Global" which is a lower priority scope:

public class MvcApplication : HttpApplication
{
    protected void Application_Start()
    {
        GlobalFilters.Filters.Add(new SecureAttribute());
        // ...
    }
}

We can then override the default behavior where appropriate. The action attribute has a scope of "Action" which is a higher priority scope. So this filter will take precedence over the globally added one:

public class SomeController : Controller
{
    [Secure(false)]
    public ActionResult SomePublicAction()
    {
        return View();
    }
}