I currently have an ASP.NET MVC and ASP.NET WEB API 2 project (both types of controllers are included in the same project).
I want to ensure that a user cannot directly make a call to the Web Api and get raw data (such as http://domain/api/myaction). However, the Api methods should have the ability to be called by jquery via AJAX, and MVC Controller Actions should also be able to call the Web Api Actions (in cases where the initial View should be rendered with some data that came from the API).
What is the best approach to do something like this, or am I looking at this the wrong way?
There is no difference between Ajax call and "direct" call.
What you should do in any case of actions controller, is validate the request via token or whatever authentication method you have established.
If you are using Microsoft authentication you only need to add the [Authorize] tag above your controller/action.
https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx
Related
i need to handle my authorization in my project
my project contains 5 libraries (DAL+COMMON+SERVICE+API+UI)
my UI project is accomplised by mvc and when i need to view partial view i request controller in mvc to return me partial view and when i need to add new item i call web api directly from my html so some times i called controller in mvc and sometimes i need to call web api from html using ajax call ,
i want to know where i will put my security permission in (UI) or in (API)
I would make sure that both your API and MVC layer are protected.
You can protect all controllers with some sort of Authorization, depending on how you set up your project to begin with.
If the API is part of the same MVC project then it can use the same authorization system like the MVC side of things.
If your API is completely independent and functions on its own then you can use something like IdentityServer, to protect it with OAuth2.
.Net 4.6.1
I am still very new to .Net and MVC. Trying my hand at creating an API and then what will really be a javascript app that will consume the API. I've got a thousand questions but I will focus on one area for this. In the API code I see the methods that support the CRUD operations. I will want the read-only API methods open to the world but the editing methods need authorization.
Is there a best practice here? Should I create two APIs? One for the "public" read actions and another for the admin operations? Can I keep one API and force the edit actions to require auth? I've seen a discussion of using API keys -- perhaps have API keys for the admin methods?
I would recommend reading these articles as a starting point (and some of the other articles in the same section!):
Authentication Filters in ASP.NET Web API 2
Authentication and Authorization in ASP.NET Web API
You can turn on or off authentication for web API at virtually any level.
Globally, per controller, or per action method.
You can also override something, so if you turn it on globally, you can turn it off for a particular controller or method.
So to answer part of your question, I can't see that there is a need to create two APIs, but the articles linked will help.
It's more a structural question than a technical one.
I made a classical Web App with ASP.NET MVC.
I works well, the server responds with HTML when I send him an URL. Ok.
I now want to make a mobile application (Android) to access the same data.
Maybe there is a way to use the controller's methods which already return the objects I'll need.
So the question:
Is there a simple way to make a REST API from a ASP.NET MVC WebAPP?
Once again, I think that the controller's method will be pretty much the same. It just has to not return HTML but XML for instance.
I'm a newbie in the Web services technologies.
Add webapi project to your solution
Configure web api controllers
Reuse MVVC classes to access database
Return necessary data - webapi will return it in json and in xml (depends how client will consume it)
I have a single page app that uses a standard Controller (not ApiController) for retrieving all HTML views, which is done via ajax. However, WebApi is utilized using breezejs for the client to talk to the backend database. I am implementing ASP.NET identity security - should I use MVC cookie authentication or bearer token? I need the solution to illustrate a separate login page, and need a clean server side redirect.
Disclaimer
This is a relatively trivial question because it is very specific and by understanding the difference in authentication between Web API and MVC Controllers this should be fairly straight forward.
Assumptions
Your Web API Project has it's own authentication and does not talk to the MVC project to get a session user or anything
Your ASP.NET MVC Controllers are in a project using forms authentication and storing the user in a session cookie.
When I reference MVC below you undertand these are referencing ASP.NET MVC
Recommendation
What I would do is have your MVC project use OAuth for authentication and store the user in a cookie in the session that you can set and get. Then your controller actions that serve views can be decorated with the Authorize attribute. This will redirect users to the login page when they try to access a view they are not allowed to (as long as that is set up in your web.config
For the Web API Project you can't rely on Session because it sounds like you are decoupling the two projects. This is my recommendation -
When your user is successfully authenticated in your MVC Project make a request to the Web API to an open log in method. This would do some logical test and then either store the user in the DB with a session token of some sort or automatically write the user to the DB.
Now your user that is stored in session in your MVC project you can pass that down to the client and append it to the Breeze calls to your Web API and use that for authentication. You will need to explicitly set up how long that token is for and such but it is pretty easy to append this to the Breeze.js call like such -
var query = breeze.EntityQuery.from('myService').withParameters({'tokenId': thisTokenId});
Now your queries will hit the API with a tokenId parameter that it can use for authentication.
Edit
If you want to set up your ASP.NET MVC Project to use OAuth you can following along with this link -
http://www.asp.net/mvc/tutorials/security/using-oauth-providers-with-mvc
Remember that forms based authentication just means (in a nutshell) that you will provide the user some way of logging in with a form of some sort.
How can I provide authentication / authorization for an asp.net mvc 4 web application that is built on Hot Towel template. All the views are considered as html pages. In this case how can I redirect my user to login view when s/he requests a view that needs specific credentials?
In a project of mine I used CodeFirst Membership Provider along with AccountController from the BreezeJS sample project. As for redirecting, try building a global library that checks if a user is logged in on every module activate call, and if the authentication fails, redirect them to login page.
You can do that in your viewmodel js files and adding attributes to web api controllers. In the viewmodel's activate function when you go to the webserver to pull data, you can secure your API call by adding attributes which will ensure that the API call is executed only when the user is authenticated. In case the user is not authenticated you can return appropriate Response message or 401 or 403 message type. ViewModel can interpret this response type and redirect the user to login view.
Take a look at the ASP.NET SPA template, which uses the standard MVC authentication.
You can take the authentication code from there and put it into the Hot towel project.