public System.Net.Http.HttpResponseMessage GetData(string controller, string action, string formToken = "")
        {
            if (FormTokenUtility.ValidateFormToken(formToken, HttpContext.Current.Session.SessionID))
            {
                SingleActionSettingDTO setting = new SingleActionSettingDTO(new HttpRequestWrapper(HttpContext.Current.Request), base.PortalSettings.PortalId);
                //when calling main bpms api from client application, there  is no need to pass formToken to main bpms api.
                string url    = UrlUtility.GetApiUrl(setting.WebApiAddress, action, controller, "", this.GetParameters().ToArray());
                var    result = ApiUtility.GetData(url, setting.WebServicePass, base.UserInfo.Username, ApiUtility.GetIPAddress(), HttpContext.Current.Session.SessionID, FormTokenUtility.GetIsEncrypted(formToken, HttpContext.Current.Session.SessionID));

                /*
                 * In ReportEngine.cs response would be flushed and as a result sessionID will be rewrite with server
                 * session ID which is different with singleAction sessionID because it sends data using api to server
                 * and therefore it must rewrite sessionid there in case user call report or download a file.
                 */
                SessionIDManager Manager = new SessionIDManager();
                Manager.SaveSessionID(HttpContext.Current, HttpContext.Current.Session.SessionID, out bool redirected, out bool IsAdded);

                return(result);
            }
            else
            {
                throw new System.Web.Http.HttpResponseException(System.Net.HttpStatusCode.Unauthorized);
            }
        }