I am trying to determine how to use the [Authorize] attribute to secure my controller. I watched the MS video provided
here, but the video doesn't really explain much. For example, how does adding the [Authorize] attribute to my controller force the controller to require additional info..such as
an api key? Basically, I want to verify that the user accessing the API has a valid apiKey, so I know that I would have to create additional logic such as checking a dbase to ensure the apiKey is valid. BUT how does the Authorize attribute link to (or know
how to check) that list of valid apiKeys to know that the user trying to access the controller is valid or not valid?
I am trying to determine how to use the [Authorize] attribute to secure my controller. I watched the MS video provided
here, but the video doesn't really explain much. For example, how does adding the [Authorize] attribute to my controller force the controller to require additional info..such as
an api key? Basically, I want to verify that the user accessing the API has a valid apiKey, so I know that I would have to create additional logic such as checking a dbase to ensure the apiKey is valid. BUT how does the Authorize attribute link to (or know
how to check) that list of valid apiKeys to know that the user trying to access the controller is valid or not valid?
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Marked as answer by jjonesca on Apr 23, 2012 08:18 PM
Thanks for the reply. I read thru this article, but this seems to be a little bit different though (pls correct me if I'm wrong). It appears (as u stated) that this is a "custom" filter. Is it not possible...or sensible, rather, to use the built in [Authorize]
filter? I thought the entire purpose of this Authorize filter was to keep you from having to create a custom filter. Is that incorrect?
Again, thanks again for the reply. I'm new to this arena, so just trying to understand as much as possible.
Is it not possible...or sensible, rather, to use the built in [Authorize] filter?
The default one do nothing but check UserPrincipal.Identity.IsAuthenticated. But In your case you need to check the API Key.
So you can do this,
If you need stick with the Authorize attribute then you need to create a custom Identity and Principal.
You can subclass AuthorizeAttribute or AuthorizationFilterAttribute.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Another option is that you can simply handle auth through code in a private method in the controller or your framework. I actually find that easier and cleaner than an attribute because the logic is directly related to your controller/app.
// Controller method
public bool SecureOperation()
{
AuthenticateUser();
... run your code that requires auth user
}
// private auth method on controller or elsewhere in app
private void AuthenticateUser()
{
... do what you need to authenticate user
if (authenticated)
return;
throw new HttpResponseException(authfailedMessage,HttpStatusCode.NotAuthorized);
}
I like this approach because it works anywhere regardless of what platform you use. No custom attribute implementation or other mucking with framework extensions.
Another option is that you can simply handle auth through code in a private method in the controller.
Rick, i think this is not DRY. A static method is more appropriate(like FormAuthentication's static methods) for this approach.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Depends on the scope of the controller. If you have one controller then it's fine otherwise - yes by all means abstract it and pass in whatever context is needed from the controller.
Personally I would probably create a custom controller class for an application that includes Authentication and error result tasks, and then inherit the actual app controllers from that.
My point though was that I think it's easier to manage and deal with plain old method code that you can basically reuse anywhere easily rather than creating a custom attribute. Sometimes the easy ways are just... easier and just as functional. :-)
jjonesca
Member
2 Points
7 Posts
How to use Web API [Authorize] attribute
Mar 20, 2012 04:30 PM|LINK
I am trying to determine how to use the [Authorize] attribute to secure my controller. I watched the MS video provided here, but the video doesn't really explain much. For example, how does adding the [Authorize] attribute to my controller force the controller to require additional info..such as an api key? Basically, I want to verify that the user accessing the API has a valid apiKey, so I know that I would have to create additional logic such as checking a dbase to ensure the apiKey is valid. BUT how does the Authorize attribute link to (or know how to check) that list of valid apiKeys to know that the user trying to access the controller is valid or not valid?
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: How to use Web API [Authorize] attribute
Mar 20, 2012 06:36 PM|LINK
Create a custom authorize filter. See this,
http://www.tugberkugurlu.com/archive/api-key-authorization-through-query-string-in-asp-net-web-api-authorizationfilterattribute
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
jjonesca
Member
2 Points
7 Posts
Re: How to use Web API [Authorize] attribute
Mar 20, 2012 07:21 PM|LINK
Thanks for the reply. I read thru this article, but this seems to be a little bit different though (pls correct me if I'm wrong). It appears (as u stated) that this is a "custom" filter. Is it not possible...or sensible, rather, to use the built in [Authorize] filter? I thought the entire purpose of this Authorize filter was to keep you from having to create a custom filter. Is that incorrect?
Again, thanks again for the reply. I'm new to this arena, so just trying to understand as much as possible.
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: How to use Web API [Authorize] attribute
Mar 21, 2012 03:43 AM|LINK
The default one do nothing but check UserPrincipal.Identity.IsAuthenticated. But In your case you need to check the API Key.
So you can do this,
If you need stick with the Authorize attribute then you need to create a custom Identity and Principal.
You can subclass AuthorizeAttribute or AuthorizationFilterAttribute.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
rstrahl
Contributor
2233 Points
375 Posts
ASPInsiders
MVP
Re: How to use Web API [Authorize] attribute
Mar 21, 2012 11:52 PM|LINK
Another option is that you can simply handle auth through code in a private method in the controller or your framework. I actually find that easier and cleaner than an attribute because the logic is directly related to your controller/app.
// Controller method public bool SecureOperation() { AuthenticateUser(); ... run your code that requires auth user }// private auth method on controller or elsewhere in app private void AuthenticateUser() { ... do what you need to authenticate user if (authenticated) return; throw new HttpResponseException(authfailedMessage,HttpStatusCode.NotAuthorized); }I like this approach because it works anywhere regardless of what platform you use. No custom attribute implementation or other mucking with framework extensions.
+++ Rick ---
West Wind Technologies
Making waves on the Web
www.west-wind.com/weblog
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: How to use Web API [Authorize] attribute
Mar 22, 2012 02:32 AM|LINK
Rick, i think this is not DRY. A static method is more appropriate(like FormAuthentication's static methods) for this approach.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
rstrahl
Contributor
2233 Points
375 Posts
ASPInsiders
MVP
Re: How to use Web API [Authorize] attribute
Mar 22, 2012 05:13 AM|LINK
Depends on the scope of the controller. If you have one controller then it's fine otherwise - yes by all means abstract it and pass in whatever context is needed from the controller.
Personally I would probably create a custom controller class for an application that includes Authentication and error result tasks, and then inherit the actual app controllers from that.
My point though was that I think it's easier to manage and deal with plain old method code that you can basically reuse anywhere easily rather than creating a custom attribute. Sometimes the easy ways are just... easier and just as functional. :-)
+++ Rick ---
West Wind Technologies
Making waves on the Web
www.west-wind.com/weblog