protected override bool IsAuthorized(HttpActionContext actionContext) { var actions = new List <Claim>(); var action = ActionFromAttribute(); if (action != null) { actions.Add(action); } actions.Add(actionContext.ActionFromController()); var resources = new List <Claim>(); var resourceList = ResourcesFromAttribute(); if (resourceList != null) { resources.AddRange(resourceList); } resources.AddRange(actionContext.ResourceFromController()); // filter "controller" since we're already adding it explicitly in the above code var routeClaims = actionContext.ResourcesFromRouteParameters().Where(x => x.Type != "controller"); resources.AddRange(routeClaims); return(CheckAccess(actionContext.Request, actions.ToArray(), resources.Distinct(new ClaimComparer()).ToArray())); }