I am using ASP.NET Core MVC. In my project I use Ajax in order to get some JSON data from an action on my controller. It requests data from the database, then return it as json. It works well.
I want to use role-based authentication in my ASP.NET Core MVC project.
This is my question: if I use a controller action restriction by something like [Authorize(Roles = "Admin")], will it allow anyone whose role is "Admin" to call this method? (I mean will it work without any other trouble just by logging in as Admin)
And will it disable accessing those data when the role is not "Admin"`?
I have not still add Identification to my new project and I'm new to using Ajax.
I have just tested it and it does as desired. It return 401 Unauthorized status code when the user is not authorized and 200 OK success status response code. Thanks guys for your responses.
Related
When I created a WebAPI project, and then a MVC project. In MVC project, I run a sever https://localhost:44303/ which has a page. In this page I created a button for ajax call. I call to my WebAPI project https://localhost:44369/ (different origin), and of course I get CORS policy. I cannot get any data. But when I change the ajax call to a fake API like on the internet https://jsonplaceholder.typicode.com/todos/1, I can get data. I think the fake API and the MVC project have different origin, so CORS should prevent the ajax call. Why can I still get the data from that fake API?
They are simply accepting request from all ip
Trying to search for this results many many results for securing a WebAPI and how to secure an MVC application, but i could not find a solution.
What i want to achieve:
i have an MVC website with a modal Login form,
When the user enters he's credentials to the the form, an Ajax request is sent to a WebAPI with the credentials.
The WebAPI should return (i guess a ticket, since that is what i found).
The ticket would be then saved into the sessionStorage of the browser (no cookies),
Each page request to the website will check for the token, and enable/disable the parts that need to be secured.
All the examples i have found are showing either MVC only authentication,
or WebAPI authentication, but i could not find anything that does the described above.
The sessionStorage is available only for client-side use. You can manipulate or retrieve values from the storage using Javascript, but you can't directly read data from the server. Since MVC typically renders HTML Views server side, you have no options to send the token stored in the sessionStorage on each request.
The situation you described is an hybrid solution which can't be achieved without the use of cookies.
A simple solution is to set the login data (specifically the token if you will use a token-based approach) in a cookie issued by the Web API endpoint during the login phase.
I have been playing with Thinktecture IdentityServer3 and am keen to use it as the product looks great. However, I don't fully understand how to accomplish my flow which is probably fairly common:
Create Identity Server using Implicit flow
Setup an MVC web site
Setup a separate Web API
So far so good, as demonstrated in the examples on the site. I now wish to call the API using AJAX calls directly but for this i need an access token. It seems like a large overhead to have to route these through the MVC site itself (again, in the examples).
How can I accomplish this flow? Would it essentially blend the MVC and Javascript Client samples or is there a smoother way so the user only has to sign in once? Perhaps send the access token in a hidden field but then how would it renew?
Any help on understanding this would be great.
I've managed to come up with a solution which seems to work, not sure if it's best practice though...
Expose a method on the MVC site at AJAX/AccessToken
Method should be locked down with Authorize attribute to ensure the MVC part of the site is authenticating properly with IdentityServer
Method returns the users Access Token which was generated through the above call via MVC controllers
In JavaScript, simply use this endpoint to get an Access Token and then call the API manually
The call to get the Access Token should be secure as its within the same domain/authentication model as the MVC site itself
I've put up a sample here for anyone interested:
OIDC-Website
Check out the form post client to see the endpoints being called explicitly. You will need to hit the token endpoint to get your access token.
You should be able to use these endpoints in your AJAX calls, store the received claims and tokens in a cookie and take it from there.
Note that to renew the access token, you will also need to store the refresh token. The Implicit flow does not allow for refresh tokens (you'll need to use the Authorization Code Flow or the Hybrid Flow).
I created MVC4 application with internet application template, added an API controller with authorize attribute.
How can I make api controller action return user specified data?
Currently I am using WebSecurity.GetUserID to get Userid, I have Userid in the data table.
After compiling the application, if I call api controller action first, I will have following error message:
You must call the "WebSecurity.InitializeDatabaseConnection" method before you call any other method of the "WebSecurity" class. This call
should be placed in an _AppStart.cshtml file in the root of your
site.
if I go to MVC controller action frist, and come to api action again, it works fine.
I am wondering how to solve this issue, and what is the best practice to handle user specified data with web api and MVC4, Thanks.
Currently, I building my website personal (using ASP.NET MVC 3).
I want to provide some services to public by using API, finished building everything, but RESTFul does not contain on Authorization, I read this article:
http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx
But I could not use the method with ASP.NET MVC 3!!
I want the following:
1- Send Api-Keys for those who want to use my service
2- verify Domain (owner api-key == OR != owner domain) !!!! Is this possible?
You could make it a requirement that they always send their key in the requests. Then you could subclass the AuthorizeAttribute to check if the key in the request matches something in your datastore. This attribute can then be decorated on your controllers.
You can get the domain making the request using Request.UrlReferrer