When AttributeBasedPolicyProviderFactory provides an HttpControllerContext, it does not include a controller instance, unlike all other controller contexts. (Consumers can expect this invariant elsewhere.)
Also, the request context used (when no request context is present on the request) doesn't have all properties set, including ClientCertificate, IsLocal and IncludeErrorDetail. Consider using RequestBackedHttpRequestContext instead.
Also, the request context used (when no request context is present on the request) doesn't have all properties set, including ClientCertificate, IsLocal and IncludeErrorDetail. Consider using RequestBackedHttpRequestContext instead.