/// <summary>
/// Calls when a process requests authorization
/// </summary>
/// <param name="actionContext">The action context, which encapsulates information for using System.Web.Http.Filters.AuthorizationFilterAttribute</param>
public override void OnAuthorization(HttpActionContext actionContext)
{
ICollection <LinkedOperationsAttribute> operationAttributes = actionContext.ActionDescriptor.GetCustomAttributes <LinkedOperationsAttribute>();
ICollection <AllowAnonymousAttribute> actionAnonymousAttributes = actionContext.ActionDescriptor.GetCustomAttributes <AllowAnonymousAttribute>();
ICollection <AllowAnonymousAttribute> controllerAnonymousAttributes = actionContext.ControllerContext.ControllerDescriptor.GetCustomAttributes <AllowAnonymousAttribute>();
try
{
bool actionAllowsAnonymous = actionAnonymousAttributes.Count > 0 || controllerAnonymousAttributes.Count > 0;
if (actionAllowsAnonymous)
{
//No hay operaciones definidas. Se permiten anonymous
IEnumerable <string> authOnlyHeader;
if (actionContext.Request.Headers.TryGetValues("authorization-only", out authOnlyHeader) && authOnlyHeader.First() == "true")
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.OK);
}
return;
}
else
{
//Obtengo las operaciones del primer atributo asociado a la acción (No deberia haber dos atributos linkedoperation asociados a la misma acción)
List <Operations> actionLinkedOperations = operationAttributes.Count > 0 ? operationAttributes.First().AllowedOperations : null;
var authorizationHeader = actionContext.Request.Headers.Authorization;
if (authorizationHeader != null)
{
if (authorizationHeader.Scheme.Equals("basic", StringComparison.OrdinalIgnoreCase) &&
!string.IsNullOrWhiteSpace(authorizationHeader.Parameter))
{
bool isAuthorized = IsAuthorized(authorizationHeader, actionLinkedOperations);
if (isAuthorized)
{
IEnumerable <string> authOnlyHeader;
if (actionContext.Request.Headers.TryGetValues("authorization-only", out authOnlyHeader) && authOnlyHeader.First() == "true")
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.OK);
}
return;
}
}
}
}
//Ninguna de las verificaciones anteriores dió verdadera. Devuelvo un código 401: No autorizado
actionContext.CreateUnauthorizedResponse(UnauthorizedReasonEnum.UnauthorizedOperation);
}
finally
{
SaveOperationAuditModel(actionContext, operationAttributes);
}
//actionContext.CreateUnauthorizedResponse(UnauthorizedReasonEnum.TooManyLoginAttempts);
}
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
var naasCredentialsRequiredController = actionContext.ControllerContext.Controller as NAASCredentialsRequiredController;
if (naasCredentialsRequiredController == null)
{
actionContext.CreateBadRequestResponse("The NAASCredentialsRequiredAttribute requires a controller of type NAASCredentialsRequiredController");
return;
}
// Check to see if BaseAuthenticationParameters instance parameter was specified to the controller action
BaseAuthenticationParameters authenticationParameters = FindAuthenticationParameters(actionContext);
if (authenticationParameters == null)
{
actionContext.CreateBadRequestResponse("Base authentication parameters are required and were not found");
return;
}
UseBasicAuthenticationCredentials_Cached = !authenticationParameters.HasUsernameAndPasswordOrToken;
if (UseBasicAuthenticationCredentials_Cached)
{
// The BaseAuthenticationParameters instance parameter did not specify any credentials, next
// check for http basic authorization
string username, password;
if (!actionContext.Request.ParseAuthorizationHeader(out username, out password))
{
actionContext.CreateUnauthorizedResponse();
actionContext.CacheFirstAccessedTime();
return;
}
naasCredentialsRequiredController.HttpBasicAuthorizationParameters = new BaseAuthenticationParameters(username, password);
}
}