WebApi自定义授权属性不起作用

Question

I have the following Custom Authorize attribute

namespace xx.Api
{
    public class MyAuthorizeAttribute : AuthorizeAttribute
    {

        public MyAuthorizeAttribute(params string[] roleKeys)
        {
            List<string> users = new List<string>(roleKeys.Length); 
            var allRoles = (NameValueCollection)ConfigurationManager.GetSection("users");
            foreach (var roleKey in roleKeys)
            {
                users.Add(allRoles[roleKey]);
            }

            this.Roles = string.Join(",", users);
        }
    }
}

I have the following web api method

[MyAuthorize("user")]
        [ResponseType(typeof(tblArea))]
        public IHttpActionResult GettblAreasByActivo()
        {
            var query = from a in db.tblAreas
                        orderby a.strArea
                        select a;

And I have this in the web.config

<configSections>
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
    <section
      name="users"
      type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </configSections>
  <users>
    <add key="user" value="domain\firstname.lastname" />
  </users>

I put my username there, and when I share the API methods url to a colleague, he can see the JSON immediately, it should be access denied.

What am I missing?

Answer 1

Check this: How to do role based authorization for asp.net mvc 4 web api and also ASP.NET MVC 4 Web API Authentication with Membership Provider .

Try to enable Windows Authentication on IIS, override OnAuthorize method of AuthorizationAttribute and check if user is set correctly.