protected override bool IsAuthorized(HttpActionContext actionContext)
{
IEnumerable <string> values = new List <string>();
var found = actionContext.Request.Headers.TryGetValues("MY_APP_KEY", out values);
if (actionContext.RequestContext.Principal == null || actionContext.RequestContext.Principal.Identity == null)
{
return(false);
}
var identity = actionContext.RequestContext.Principal.Identity;
var isInternalAuth = identity.AuthenticationType == OAuthDefaults.AuthenticationType;
var isAuthenticated = isInternalAuth
? HandleInternalAuthentication(actionContext)
: HandleWindowsAuthentication(actionContext);
// if user isn't authenticated, he isn't authorized.
if (isAuthenticated == false)
{
return(false);
}
// if (_configurationService.GetMainConfiguration().ManagementServer.IsUsingSession)
{
var hasActiveSession = _sessionManagement.HasActiveSession(identity.Name);
if (!hasActiveSession)
{
// For internal users, all authenticated calls must have an active session.
// Windows auth, an authenticated user must have an active session
// OR must be calling WindowsLogin to create one.
if (isInternalAuth || actionContext.ActionDescriptor.ActionName != "WindowsLogin")
{
return(false);
}
}
_sessionManagement.UpdateUserActivity(identity.Name);
}
return(true);
}
