Injecting dependencies into controllers is a pretty simple task with a custom controller factory. Injecting them into attributes is a bit more work. Simone Chiaretta has a nice post on how to do this with Ninject; we'll do the same thing below with StructureMap.

First lets start with the controller factory:

public class ExtensibleControllerFactory : DefaultControllerFactory
{
    private readonly Func<Type, Controller> _factory;
    private readonly ControllerActionInvoker _actionInvoker;

    public ExtensibleControllerFactory(Func<Type, Controller> factory, ControllerActionInvoker actionInvoker)
    {
        _factory = factory;
        _actionInvoker = actionInvoker;
    }

    protected override IController GetControllerInstance(
        RequestContext requestContext,
        Type controllerType)
    {
        var controller = _factory(controllerType);
        controller.ActionInvoker = _actionInvoker;
        return controller;
    }
}

This controller factory allows us to pass in a lambda that creates controllers as well as a custom action invoker. Here is where we can inject our controller and action filter dependencies. Next we have an extensible action invoker (That we'll pass into the controller above):

public class ExtensibleActionInvoker : ControllerActionInvoker
{
    private readonly Action<IActionFilter> _actionFilter;
    private readonly Action<IAuthorizationFilter> _authorizationFilter;

    private ExtensibleActionInvoker(Action<IActionFilter> actionFilter, Action<IAuthorizationFilter> authorizationFilter)
    {
        _actionFilter = actionFilter;
        _authorizationFilter = authorizationFilter;
    }

    public static ExtensibleActionInvoker Create(Action<IActionFilter> actionFilter)
    {
        return new ExtensibleActionInvoker(actionFilter, null);
    }

    public static ExtensibleActionInvoker Create(Action<IAuthorizationFilter> authenticationFilter)
    {
        return new ExtensibleActionInvoker(null, authenticationFilter);
    }

    public static ExtensibleActionInvoker Create(Action<IActionFilter> actionFilter, 
                                                 Action<IAuthorizationFilter> authenticationFilter)
    {
        return new ExtensibleActionInvoker(actionFilter, authenticationFilter);
    }

    protected override AuthorizationContext InvokeAuthorizationFilters(ControllerContext controllerContext, 
                                        IList<IAuthorizationFilter> filters, ActionDescriptor actionDescriptor)
    {
        if (_authorizationFilter != null) filters.Run(f => _authorizationFilter(f));
        return base.InvokeAuthorizationFilters(controllerContext, filters, actionDescriptor);
    }

    protected override ActionExecutedContext InvokeActionMethodWithFilters(
            ControllerContext controllerContext,
            IList<IActionFilter> filters,
            ActionDescriptor actionDescriptor,
            IDictionary<string, object> parameters)
    {
        if (_actionFilter != null) filters.Run(f => _actionFilter(f));
        return base.InvokeActionMethodWithFilters(controllerContext, filters, actionDescriptor, parameters);
    }
}

In the example above we can act on ActionFilters and AuthorizationFilters before an action is executes. This gives us an extensibility point where we can inject dependencies. Again we are passing in lambdas to do this. This keeps these classes open for extension but closed for modification. Attributes are created by .NET, using the parameters we supply at compile time, so we cant inject the dependencies into the attribute constructor. Our only option is to use parameter injection. As an aside, the example above uses the Run method in the Reactive Extensions library. 

To demonstrate how to use the above two classes we'll implement an authentication scheme. Below is an action filter that we'll use to see if the user is authenticated and if not redirect them to the login page (The one that ships with MVC uses forms auth and we don't want to use that):

public class SecureAttribute : FilterAttribute, IAuthorizationFilter
{
    public IAuthenticationService<Credentials> AuthenticationService { get; set; }
    public IAppSettings AppSettings { get; set; }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!AuthenticationService.IsAuthenticated)
        {
            var url = string.Format(AppSettings["LoginUrl"], 
                                    filterContext.HttpContext.Request.Url.AbsolutePath);
            filterContext.Result = new RedirectResult(url);
        }  
    }
}

This attribute depends on the authentication service (Not shown) and the app settings (Also not show) in order to work. We have public properties to where we can inject these dependencies. Here is how we'd use it on our actions; pretty simple:

[Secure]
public ActionResult Edit(int id) { ... }

[Secure]
[HttpPost]
public ActionResult Edit(Problem problem) { ... }

Next we have a controller that does the actual authentication:

public class HomeController : Controller
{
    private readonly IAuthenticationService<Credentials> _authenticationService;

    public HomeController(IAuthenticationService<Credentials> authenticationService)
    {
        _authenticationService = authenticationService;
    }

    public ActionResult Index()
    {
        return View();
    }

    public ActionResult Login()
    {
        return View();
    }

    [HttpPost]
    public ActionResult Login(UserCredentials credentials, string returnUrl)
    {
        if (!_authenticationService.Authenticate(credentials.Username, credentials.Password).IsAuthenticated)
        {
            ViewData.ModelState.AddModelError("username", "Username or password incorrect.");
            return View();
        }

        if (returnUrl != null) return Redirect(returnUrl);        
        return RedirectToAction<HomeController>(x => x.Index());
    }
}

This controller depends on the authentication service (Not shown) which we can inject via the constructor. Now lets register these dependencies with StructureMap in our bootstrap:

ObjectFactory.Initialize(x =>
                {
                    x.ForSingletonOf<IAppSettings>().Use<AppSettings>();
                    x.SetAllProperties(y => y.OfType<IAppSettings>());

                    x.ForSingletonOf<IAuthenticationService<Credentials>>().Use<AuthenticationService>();
                    x.SetAllProperties(y => y.OfType<IAuthenticationService<Credentials>>());
                });

Now that these are registered we can wire everything up. We'll do this in the application start event in the Global.asax:

protected void Application_Start()
{
    // ...

    ControllerBuilder.Current.SetControllerFactory(
        new ExtensibleControllerFactory(t => (Controller)ObjectFactory.GetInstance(t),
                                        ExtensibleActionInvoker.Create((Action<IAuthorizationFilter>)(ObjectFactory.BuildUp))));
}

The first parameter in our extensible controller factory constructor is the lambda that creates our controller. The second is the custom action invoker. In the custom action invoker constructor we pass the StructureMap BuildUp method to inject parameter dependencies into authorization filters. Now both our controllers and action filters are completely decoupled.

The complete source can be found here.