的WebAPI定製的授權屬性不工作

Question

我有以下的自定義屬性授權

namespace xx.Api 
{ 
    public class MyAuthorizeAttribute : AuthorizeAttribute 
    { 

     public MyAuthorizeAttribute(params string[] roleKeys) 
     { 
      List<string> users = new List<string>(roleKeys.Length); 
      var allRoles = (NameValueCollection)ConfigurationManager.GetSection("users"); 
      foreach (var roleKey in roleKeys) 
      { 
       users.Add(allRoles[roleKey]); 
      } 

      this.Roles = string.Join(",", users); 
     } 
    } 
} 

我有以下的Web API方法

[MyAuthorize("user")] 
     [ResponseType(typeof(tblArea))] 
     public IHttpActionResult GettblAreasByActivo() 
     { 
      var query = from a in db.tblAreas 
         orderby a.strArea 
         select a; 

而且我有這個在web.config

<configSections> 
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 --> 
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" /> 
    <section 
     name="users" 
     type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> 
    </configSections> 
    <users> 
    <add key="user" value="domain\firstname.lastname" /> 
    </users> 

我把我的用戶名放在那裏，當我將API方法url分享給同事時，他可以立即看到JSON，它應該被拒絕訪問。

我錯過了什麼？

Answer 1

選中此項：How to do role based authorization for asp.net mvc 4 web api以及ASP.NET MVC 4 Web API Authentication with Membership Provider。

嘗試在IIS上啓用Windows身份驗證，重寫AuthorizationAttribute的OnAuthorize方法並檢查用戶是否設置正確。