Esempio n. 1
0
        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            IEnumerable <string> values = new List <string>();
            var found = actionContext.Request.Headers.TryGetValues("MY_APP_KEY", out values);

            if (actionContext.RequestContext.Principal == null || actionContext.RequestContext.Principal.Identity == null)
            {
                return(false);
            }

            var identity = actionContext.RequestContext.Principal.Identity;

            var isInternalAuth  = identity.AuthenticationType == OAuthDefaults.AuthenticationType;
            var isAuthenticated = isInternalAuth
                ? HandleInternalAuthentication(actionContext)
                : HandleWindowsAuthentication(actionContext);

            // if user isn't authenticated, he isn't authorized.
            if (isAuthenticated == false)
            {
                return(false);
            }

//            if (_configurationService.GetMainConfiguration().ManagementServer.IsUsingSession)
            {
                var hasActiveSession = _sessionManagement.HasActiveSession(identity.Name);


                if (!hasActiveSession)
                {
                    // For internal users, all authenticated calls must have an active session.
                    // Windows auth, an authenticated user must have an active session
                    // OR must be calling WindowsLogin to create one.
                    if (isInternalAuth || actionContext.ActionDescriptor.ActionName != "WindowsLogin")
                    {
                        return(false);
                    }
                }

                _sessionManagement.UpdateUserActivity(identity.Name);
            }

            return(true);
        }