My understanding of ASP.NET MVC is that for authorizations I should use something like -
public class IPAuthorize : AuthorizeAttribute {
protected override bool AuthorizeCore(HttpContextBase httpContext) {
//figure out if the ip is authorized
//and return true or false
}
But in Web API, there is no AuthorizeCore(..)
.
There is OnAuthorization(..)
and the general advice for MVC is not to use OnAuthorization(..)
.
What should I use for custom authorizations in Web API?