public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext) { if (IsBasicAuthorized(actionContext)) { ((apiController)actionContext.ControllerContext.Controller).Init(); return; } if (IsServerAuthorized(actionContext)) { return; } if (IsAnonymous(actionContext)) { return; } base.OnAuthorization(actionContext); ClaimsPrincipal principal = actionContext.Request.GetRequestContext().Principal as ClaimsPrincipal; var ci = principal.Identity as ClaimsIdentity; if (!ci.IsAuthenticated) { AuthorizationTokenExpiredException authorizationTokenExpiredException = new AuthorizationTokenExpiredException(); actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.Unauthorized, authorizationTokenExpiredException.Message, authorizationTokenExpiredException); return; } try { var usernameObj = principal.Claims.Where(c => c.Type == Database.Username).Single(); var appnameObj = principal.Claims.Where(c => c.Type == Database.AppName).Single(); var infoObj = principal.Claims.Where(c => c.Type == Database.TokenInfo).SingleOrDefault(); if (usernameObj == null) { HandleUnauthorized(actionContext, null, null); return; } if (appnameObj == null) { HandleUnauthorized(actionContext, null, null); return; } string username = usernameObj.Value; string appname = appnameObj.Value; string appNameFromToken = appnameObj.Value; bool mainAppFromToken = appNameFromToken == Maps.DuradosAppName; string appNameInHeader = null; if (actionContext.Request.Headers.Contains("AppName")) { appNameInHeader = actionContext.Request.Headers.GetValues("AppName").FirstOrDefault(); } else if (actionContext.Request.Headers.Contains("appName")) { appNameInHeader = actionContext.Request.Headers.GetValues("appName").FirstOrDefault(); } else if (actionContext.Request.Headers.Contains("appname")) { appNameInHeader = actionContext.Request.Headers.GetValues("appname").FirstOrDefault(); } Durados.Web.Mvc.Controllers.AccountMembershipService accountMembershipService = new Durados.Web.Mvc.Controllers.AccountMembershipService(); if (appNameInHeader != null) { if (appname.ToLower() == Maps.DuradosAppName) { appname = appNameInHeader; } else { if (appname != appNameInHeader) { // BackandSSO if (!IsSso(appname, appNameInHeader)) { actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.Unauthorized, string.Format(Durados.Web.Mvc.UI.Helpers.UserValidationErrorMessages.AccessTokenNotAllowedToApp, appNameInHeader)); return; } else { appname = appNameInHeader; if (!System.Web.HttpContext.Current.Items.Contains(Database.AppName)) { System.Web.HttpContext.Current.Items.Add(Database.AppName, appname); } else { System.Web.HttpContext.Current.Items[Database.AppName] = appname; } if (!accountMembershipService.IsApproved(username)) { try { userController uc = new userController(); string provider = GetDomainControllerProvider(appname); var userRow = (DataRow)GetUserRow(appnameObj.Value, username); string socialId = GetSocialId(provider, username, appnameObj.Value); bool hasSocialId = socialId != null; string password = GetPassword(); System.Web.HttpContext.Current.Items.Add(Database.SignupInProcess, true); if (hasSocialId) { uc.SignUpCommand(appname, username, provider, socialId, GetValues(userRow, username), GetFirstName(userRow), GetLastName(userRow), password, true); } else { bool hasMembership = Maps.Instance.GetMap(appname).GetMembershipProvider().GetUser(username, false) != null; if (hasMembership) { var signUpResults = uc.SignUp(appname, null, null, true, GetFirstName(userRow), username, GetLastName(userRow), password, password, new Dictionary <string, object>()); } else { actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.Unauthorized, string.Format(Durados.Web.Mvc.UI.Helpers.UserValidationErrorMessages.AccessTokenNotAllowedToApp, appNameInHeader)); return; } } } catch (Exception exception) { actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.Unauthorized, exception.Message, exception); } } string key = appname + "_userRow_" + username; System.Web.HttpContext.Current.Items.Remove(key); } } } } if (!System.Web.HttpContext.Current.Items.Contains(Database.Username)) { System.Web.HttpContext.Current.Items.Add(Database.Username, username); } if (!System.Web.HttpContext.Current.Items.Contains(Database.AppName)) { System.Web.HttpContext.Current.Items.Add(Database.AppName, appname); } else { System.Web.HttpContext.Current.Items[Database.AppName] = appname; } if (!System.Web.HttpContext.Current.Items.Contains(Database.MainAppFromToken)) { System.Web.HttpContext.Current.Items.Add(Database.MainAppFromToken, mainAppFromToken); } string infoJson = null; object info = null; if (infoObj != null) { infoJson = infoObj.Value; var jss = new System.Web.Script.Serialization.JavaScriptSerializer(); info = jss.Deserialize <Dictionary <string, object> >(infoJson); } const string ForToken = "forToken"; IDictionary <string, object> tokenInfo = new Dictionary <string, object>(); if (info != null && info is IDictionary <string, object> && ((IDictionary <string, object>)info).ContainsKey(ForToken) && ((IDictionary <string, object>)info)[ForToken] is IDictionary <string, object> ) { tokenInfo = (IDictionary <string, object>)((IDictionary <string, object>)info)[ForToken]; } if (!System.Web.HttpContext.Current.Items.Contains(Database.TokenInfo)) { System.Web.HttpContext.Current.Items.Add(Database.TokenInfo, tokenInfo); } try { if (SharedMemorySingeltone.Instance.Contains(appname, SharedMemoryKey.DebugMode)) { System.Web.HttpContext.Current.Items[Durados.Workflow.JavaScript.Debug] = true; } } catch { } if (!System.Web.HttpContext.Current.Items.Contains(Database.RequestId)) { System.Web.HttpContext.Current.Items.Add(Database.RequestId, Guid.NewGuid().ToString()); } //NewRelic.Api.Agent.NewRelic.AddCustomParameter(Durados.Database.RequestId, System.Web.HttpContext.Current.Items[Database.RequestId].ToString()); //if (actionContext.Request.Headers.Contains("AppName")) //{ try { //if (!IsAppReady()) //{ // throw new Durados.DuradosException("App is not ready yet"); //} //if (!accountMembershipService.ValidateUser(username) || !accountMembershipService.IsApproved(username) || Revoked(appname, GetAuthToken(actionContext))) if (!accountMembershipService.IsApproved(username) || Revoked(appname, GetAuthToken(actionContext))) { HandleUnauthorized(actionContext, appname, username); return; } if (!(Maps.IsDevUser(username) || System.Web.HttpContext.Current.Request.Url.Segments.Contains("general/")) && (new Durados.Web.Mvc.UI.Helpers.DuradosAuthorizationHelper().IsAppLocked(appname) || IsAdminLocked(appname, appNameFromToken, username))) { actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.Unauthorized, string.Format(Durados.Web.Mvc.UI.Helpers.UserValidationErrorMessages.AppLocked, appname)); return; } } catch (Durados.Web.Mvc.UI.Helpers.AppNotReadyException exception) { actionContext.Response = actionContext.Request.CreateResponse( HttpStatusCode.NoContent, exception.Message); return; } catch (Exception exception) { actionContext.Response = actionContext.Request.CreateErrorResponse( HttpStatusCode.InternalServerError, string.Format(Messages.Unexpected, exception.Message)); try { Maps.Instance.DuradosMap.Logger.Log(actionContext.ControllerContext.Controller.GetType().Name, actionContext.Request.RequestUri.ToString(), "BackAndAuthorizeAttribute", exception, 1, "authorization failure"); } catch { } try { if (Maps.Instance.AppInCach(appname)) { Durados.Web.Mvc.UI.Helpers.RestHelper.Refresh(appname); } } catch { } return; } //} if (_allowedRoles == "Admin") { string userRole = Maps.Instance.GetMap(appname).Database.GetUserRole(); if (!(userRole == "Admin" || userRole == "Developer")) { actionContext.ActionArguments.Add(Database.backand_serverAuthorizationAttempt, true); actionContext.ActionArguments.Add(UserRoleNotSufficient, true); HandleUnauthorized(actionContext, appname, username); return; } } if (_allowedRoles == "Developer") { string userRole = Maps.Instance.GetMap(appname).Database.GetUserRole(); if (userRole != "Developer") { actionContext.ActionArguments.Add(Database.backand_serverAuthorizationAttempt, true); actionContext.ActionArguments.Add(UserRoleNotSufficient, true); HandleUnauthorized(actionContext, appname, username); return; } } try { string message = null; if (!mainAppFromToken && IsCustomDeny(appname, username, out message)) { HandleUnauthorized(actionContext, appname, username, message); return; } } catch (Exception exception) { HandleUnauthorized(actionContext, appname, username, "Unexpected error: " + exception.Message); return; } ((apiController)actionContext.ControllerContext.Controller).Init(); } catch { HandleUnauthorized(actionContext, null, null); return; } }