Custom Authorization - How do I use data retrieved later in the controller?

I am using a Custom Authorization Attribute for an MVC Web Service that takes JSON and / or Xml payloads. Part of each payload is some data that identifies the customer that is submitting the API. I want to use the custom attribute to pull data out of the payload and verify that the customer is authenticated and authorized to attempt the requested API. This is done by calling some methods in my repository that check the database against the credentials sent in the payload and then returning a TRUE or FALSE. However, because I hit the database and gathered a lot of good info, I want to be able to keep this for the duration of the request processing. This customer data has special config data for this customer as well as other unique info that the rest of the app needs to properly service the request for this specific customer.

I do not want to hit the DB again, since I did it at authorization time. I am replacing an older WCF service that did this just fine, but then it was part of my API logic as we did not have these cool attributes.

My questions are two:

1) How can I get the "object" that is passed in as part of the request in the authorizaiton code so I can actually perform the required auth?

2) Once it "passes", I get into my controller code, so how do I pass the values that I retrived from the DB from the authorization attribute code into my controller action where I actually need them.

These are totally stateless API calls (as they should be for an API), so each request is authenticated and I need the CustomerInformation object that I built in Authorization to be available in my controller action.

Any help is appreciated - I am using the BETA MVC 4 Web API.

Re: Custom Authorization - How do I use data retrieved later in the controller?

Figured this out. First of all, the AuthorizeAttribute that you want to override is the System.Web.Http.AuthorizeAttribute not the System.Web.Mvc.AuthorizeAttribute.

Once I did this, the OnAuthorization override is the place to put the code.

you need to add another attribute to your specialized authorization to AllowAnonymous - again be sure to use the System.Web.HttpAllowAnonymous, not the MVC one.

Then you can access your controller class using:

MyController c = actionContext.ControllerContext.Controller as MyController;

Then you can set any propery on that class - this is where you put your info that you painfully extracted from the DB while authorizing this request.

Then, if you want to fail the request because it did not pass your strict rules. simply set the actionContextResponse like this:

actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);

otherwise just fall through and you will be in your Controller Method with the pretty little property you set earlier all intact.

By the way - do not call the base.OnAuthorization because it will fail you because some membership provider is not there....

The big problem I had was that I used the MVC versions of the attributes, not the http versions.

Code snippet of my custom attribute is here: -- Hope this helped someone!

[AttributeUsage(AttributeTargets.Method, Inherited=true, AllowMultiple=true)]
        [System.Web.Http.AllowAnonymous]
        public class AuthorizeMerchantAttribute : System.Web.Http.AuthorizeAttribute
        {
            public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
            {
                //
                // bypass the base class code
                //
                //base.OnAuthorization(actionContext);
                //
                // get a reference to my controller
                //
                TestAuthController c = actionContext.ControllerContext.Controller as TestAuthController;
                //
                // Call some method to do my custom authorization setting a property on my controller to the results
                //
                c.MerchantInformation = ValidateMerchant();
                //
                // Check to see if my magic boolean is FALSE, and if so, return Unauthorized
                //
                if (!c.MerchantInformation.IsAllowed)
                {
                    actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
                }
            }
        }