public override bool IsAuthorized(AuthFilterContext context) { if (DomainUtility.IsTestEnvironment) { return(true); } using (APIAccessService apiAccessService = new APIAccessService()) { //when a client is calling main api ,they have to put token,which is password, in header named token if (context.ActionContext.Request.Headers.Contains("token")) { return(apiAccessService.HasAccess(ApiUtility.GetIPAddress(), context.ActionContext.Request.Headers.GetValues("token").FirstOrDefault())); } else { if (AccessUtility.CalledByLocalSA(HttpContext.Current.Request)) { //it is called from single action module in same server with same ip. return(true); } else { //when bpms user panel is calling engine api,every request should have formToken in its parameters. string formToken = context.ActionContext.RequestContext.Url.Request.GetHttpContext().Request.QueryString[FormTokenUtility.FormToken]; return(FormTokenUtility.ValidateFormToken(formToken, HttpContext.Current.Session.SessionID)); } } } }