Unlike its counterparts
the Signalr AuthorizeAttribute is sealed and does not allow the authorization decision to be overridden in a subclass.
As per conversation with @davidfowl this is a request to unseal AuthorizeAttribute and make UserAuthorized a protected virtual bool.
Additionally, perhaps UserAuthorized should be renamed to AuthorizeCore or IsAuthorized to try and be consistent with either MVC or WebAPI (but not both).
I don't think that UserAuthorized should be renamed since its parameter is only an IPrincipal instead of a fuller HttpContextBase or HttpActionContext. I would be more tempted to rename it if MVC and WebAPI shared the same convention.