对于我的场景来说，***的解决方案似乎是完全绕过基本的 OnAuthorization.由于我每次都必须对 cookie 和缓存进行身份验证，因此该原理没有多大用处.所以这是我想出的解决方案:

The best solution for my scenario appears to be bypass the base OnAuthorization completely. Since I have to authenticate each time cookies and caching the principle are not of much use. So here is the solution I came up with:

public override void OnAuthorization(HttpActionContext actionContext)
{
    string username;
    string password;

    if (GetUserNameAndPassword(actionContext, out username, out password))
    {
        if (Membership.ValidateUser(username, password))
        {
            if (!isUserAuthorized(username))
                actionContext.Response = 
                    new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
        }
        else
        {
            actionContext.Response = 
                new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
        }
    }
    else
    {
        actionContext.Response = 
            new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
    }
}

我开发了自己的方法来验证名为 isUserAuthorized 的角色，我不再使用基本的 OnAuthorization，因为它检查了当前的原则 查看它是否已认证.IsAuthenticated 只允许获取，所以我不确定如何设置它，而且我似乎不需要当前的原则.对此进行了测试，效果很好.

I developed my own method for validating the roles called isUserAuthorized and I am not using the base OnAuthorization any more since it checks the current Principle to see if it isAuthenticated. IsAuthenticated only allows gets so I am not sure how else to set it, and I do not seem to need the current Principle. Tested this out and it works fine.

如果有人有更好的解决方案或可以看到此解决方案的任何问题，仍然感兴趣.

Still interested if anyone has a better solution or can see any issues with this this one.