protected override bool IsAuthorized(HttpActionContext actionContext)
{
var actions = new List<Claim>();
var action = ActionFromAttribute();
if (action != null) actions.Add(action);
actions.Add(actionContext.ActionFromController());
var resources = new List<Claim>();
var resourceList = ResourcesFromAttribute();
if (resourceList != null) resources.AddRange(resourceList);
resources.AddRange(actionContext.ResourceFromController());
// filter "controller" since we're already adding it explicitly in the above code
var routeClaims = actionContext.ResourcesFromRouteParameters().Where(x => x.Type != "controller");
resources.AddRange(routeClaims);
return CheckAccess(actionContext.Request, actions.ToArray(), resources.Distinct(new ClaimComparer()).ToArray());
}