Web API 2 RequireHttps allowing http connection - https

I have created the following action in my MVC Web API 2 controller:
[ResponseType(typeof(int))]
[RequireHttps]
public IHttpActionResult SaveLead(EcommerceLead lead)
{
}
But in my test app I am making a call to
http://localhost/api/savelead
And it is working. Is there any way to make the action to only work if it is called over https, ie return a 404 if it isn't or something?

If you are using RequireHttps from Mvc namespace, it will not work with Web API. You can write a simple filter for Web API yourself to enforce HTTPS. Since you are using Web API 2, create an authentication filter like this.
public class RequireHttpsAttribute : IAuthenticationFilter
{
public bool AllowMultiple
{
get { return true; }
}
public Task AuthenticateAsync(HttpAuthenticationContext context,
CancellationToken cancellationToken)
{
if (context.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
context.ActionContext.Response = new HttpResponseMessage(
System.Net.HttpStatusCode.Forbidden);
}
return Task.FromResult<object>(null);
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context,
CancellationToken cancellationToken)
{
return Task.FromResult<object>(null);
}
}

If you are using web api older version you can use Authoriztion filter.
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}

You can use Message Handler.
public class RequireHttpsHandler : DelegatingHandler
{
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
CancellationToken cancellationToken)
{
if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
return Task.FromResult(new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
});
}
return base.SendAsync(request, cancellationToken);
}
}

Related

Simple Injector inject dependency into custom global authentication filters and OWIN middle ware OAuthAuthorizationServerProvider

I used Simple Injector as our Ioc container; we have two problems.
We want to inject into our custom authentication filter; we read the post of converting attribute to a passive attribute: Convert Attribute into a passive. But we can't convert custom authentication filter attribute into a passive.
public class BearerAuthentication : Attribute, IAuthenticationFilter
{
public async Task AuthenticateAsync(
HttpAuthenticationContext context, CancellationToken cancellationToken)
{
}
public Task ChallengeAsync(
HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
}
}
We want to inject dependency into OWin middleware OAuthAuthorizationServerProvider; we know we can use begin execution context scope, but we want an elegant solution.
using (Ioc.Container.BeginExecutionContextScope())
{
}
Updated
public interface IAuthenticationFilter<TAttribute> where TAttribute : Attribute
{
Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken);
Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken);
}
public class BearerAuthenticationFilter : Attribute, IAuthenticationFilter<BearerAuthenticationFilter>
{
private readonly IAuthenticationBusinessEngine _authenticationBusinessEngine;
private readonly IHttpContextAccessor _httpContextAccessor;
public BearerAuthenticationFilter(IAuthenticationBusinessEngine authenticationBusinessEngine, IHttpContextAccessor httpContextAccessor)
{
_authenticationBusinessEngine = authenticationBusinessEngine;
_httpContextAccessor = httpContextAccessor;
}
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
throw new NotImplementedException();
}
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
throw new NotImplementedException();
}
}
public class AuthenticationFilterDispatcher : IAuthenticationFilter
{
private readonly Func<Type, IEnumerable> _container;
public AuthenticationFilterDispatcher(Func<Type, IEnumerable> container)
{
_container = container;
}
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
var descriptor = context.ActionContext.ActionDescriptor;
var attributes = descriptor.ControllerDescriptor.GetCustomAttributes<Attribute>(true)
.Concat(descriptor.GetCustomAttributes<Attribute>(true));
foreach (var attribute in attributes)
{
var filterType = typeof(IAuthenticationFilter<>).MakeGenericType(attribute.GetType());
var filters = _container.Invoke(filterType);
foreach (dynamic actionFilter in filters)
{
await actionFilter.AuthenticateAsync(context, cancellationToken);
}
}
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
throw new NotImplementedException();
}
public bool AllowMultiple
{
get
{
return true;
}
}
}
The equivalent code for working with IAuthenticationFilter is:
public interface IAuthenticationFilter<TAttribute> where TAttribute : Attribute
{
Task AuthenticateAsync(TAttribute attribute, HttpAuthenticationContext context);
}
public class AuthenticationFilterDispatcher : IAuthenticationFilter
{
private readonly Func<Type, IEnumerable> container;
public AuthenticationFilterDispatcher(Func<Type, IEnumerable> container) {
this.container = container;
}
public async Task AuthenticateAsync(HttpAuthenticationContext context,
CancellationToken token) {
var descriptor = context.ActionContext.ActionDescriptor;
var attributes = descriptor.ControllerDescriptor
.GetCustomAttributes<Attribute>(true)
.Concat(descriptor.GetCustomAttributes<Attribute>(true));
foreach (var attribute in attributes) {
Type filterType = typeof(IAuthenticationFilter<>)
.MakeGenericType(attribute.GetType());
IEnumerable filters = this.container.Invoke(filterType);
foreach (dynamic actionFilter in filters) {
await actionFilter.AuthenticateAsync((dynamic)attribute, context);
}
}
}
public async Task ChallengeAsync(HttpAuthenticationChallengeContext context,
CancellationToken token) { }
public bool AllowMultiple { get { return true; } }
}
Registration is done as follows:
GlobalConfiguration.Configuration.Filters.Add(
new AuthenticationFilterDispatcher(container.GetAllInstances));
// For Simple Injector 2.x:
container.RegisterManyForOpenGeneric(typeof(IAuthenticationFilter<>),
container.RegisterAll,
new[] { typeof(IAuthenticationFilter<>).Assembly });
// For Simple Injector 3.x:
container.RegisterCollection(typeof(IAuthenticationFilter<>),
new[] { typeof(IAuthenticationFilter<>).Assembly });
Now instead of making your attributes active, you can make the attribute passive and implement the required logic inside an IAuthenticationFilter<MyPassiveAttribute> implementation.
Your attribute and new component might look like this:
// NOTE: This attribute does not derive from anything Web API specific,
// just from Attribute
public class RequiresBearerAuthenticationAttribute : Attribute
{
// put here properties if required
}
public class BearerAuthenticationFilter
: IAuthenticationFilter<RequiresBearerAuthenticationAttribute>
{
private readonly IAuthenticationBusinessEngine _authenticationBusinessEngine;
private readonly IHttpContextAccessor _httpContextAccessor;
public BearerAuthenticationFilter(
IAuthenticationBusinessEngine authenticationBusinessEngine,
IHttpContextAccessor httpContextAccessor)
{
_authenticationBusinessEngine = authenticationBusinessEngine;
_httpContextAccessor = httpContextAccessor;
}
public async Task AuthenticateAsync(RequiresBearerAuthenticationAttribute attribute,
HttpAuthenticationContext context)
{
// TODO: Behavior here
}
}

DelegatingHandler Request Origin

I have one DelegatingHandler to verify an ApiKey included in the Request Header:
public class ApiKeyHandler : DelegatingHandler
{
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
if (!ApiKey.VerifyRequest(request))
{
var response = request.CreateErrorResponse(HttpStatusCode.Forbidden, "Invalid Api Key");
var tsc = new TaskCompletionSource<HttpResponseMessage>();
tsc.SetResult(response);
return tsc.Task;
}
return base.SendAsync(request, cancellationToken);
}
}
Now I want to extend it to check the origin of the request, because this APIKey is only required for external requests (CORS has not be required yet).
External is defined by Domain and its exclusively Server to Server.
I found the Is_Local Property but this doesnt work for me.
I'm now going with the IP Address:
((dynamic)request.Properties["MS_HttpContext"]).Request.UserHostAddress;
Since you seem to be needing an IP of the caller, WebApiContrib has a good extension method that works on both self host and web host:
public static class HttpRequestMessageExtensions
{
private const string HttpContext = "MS_HttpContext";
private const string RemoteEndpointMessage = "System.ServiceModel.Channels.RemoteEndpointMessageProperty";
public static string GetClientIpAddress(this HttpRequestMessage request)
{
if (request.Properties.ContainsKey(HttpContext))
{
dynamic ctx = request.Properties[HttpContext];
if (ctx != null)
{
return ctx.Request.UserHostAddress;
}
}
if (request.Properties.ContainsKey(RemoteEndpointMessage))
{
dynamic remoteEndpoint = request.Properties[RemoteEndpointMessage];
if (remoteEndpoint != null)
{
return remoteEndpoint.Address;
}
}
return null;
}
}

Properly Implementing IAuthorizationFilter in Web API

I'm having trouble figuring out how to implement an authorization filter in Web API using IAuthorizationFilter from System.Web.Http.Filters.
This is a simple filter I wrote to respond to all non-https requests with a 403 forbidden response:
public class HttpsFilter : IAuthorizationFilter {
public bool AllowMultiple {
get {
return false;
}
}
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync( HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation ) {
var request = actionContext.Request;
if ( request.RequestUri.Scheme != Uri.UriSchemeHttps ) {
HttpResponseMessage response = request.CreateResponse( HttpStatusCode.Forbidden );
response.Content = new StringContent( "<h1>HTTPS Required</h1>", Encoding.UTF8, "text/html" );
actionContext.Response = response;
return new Task<HttpResponseMessage>( delegate() {
return response;
} );
}
else
return continuation();
}
}
What I have written so far runs, but when I try to access the api over regular http, it just hangs and I never get a response.
For you scenario, you could simply derive from the "System.Web.Http.AuthorizeAttribute".
Example:
public class HttpsFilterAttribute : System.Web.Http.AuthorizeAttribute
{
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
//do something
}
}
You either need to save the task into a variable and call the task.Start() method before returning it, or use the Task<HttpResponseMessage>.Factory.StartNew(Action action) method to create the task.

How to create custom JsonAuthorize Attribute to secure actions which returns JsonResults?

I was thinking how to correctly secure JsonResult action with custom attribute instead of doing kind of this on each action like saying here ASP.NET MVC JsonResult and AuthorizeAttribute
if (!User.Identity.IsAuthenticated)
return Json("Need to login");
But the question is how could i create such attribute which would return Json.
So i've started from that:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class JsonAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
//?
}
//Need to return json somehow ?
}
}
Bot how i may return json result from such attribute? any ideas?
You can use an ActionFilterAttribute which allows you to return a result without using the httpcontext.response.write or anything.
public class JsonActionFilterAttribute : ActionFilterAttribute {
public override void OnActionExecuting(ActionExecutingContext filterContext) {
if (!HttpContext.Current.User.Identity.IsAuthenticated) {
filterContext.Result = new JsonResult() { Data = "Need to login." };
}
base.OnActionExecuting(filterContext);
}
}
1 way is to override AuthorizeAttribute.HandleUnauthorizedRequest
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
throw new CustomUnauthorizedException();
}
... And then in your Global.asax:
protected void Application_Error(object sender, EventArgs e)
{
Exception error = Server.GetLastError();
if (error is CustomUnauthorizedException) {
if (AjaxRequest(Request)) {
... return Json response.
} else {
... redirect
}
}
}
So you can throw the exception anywhere in your codebase and you've centralized the handling of that exception in Global.asax
Try this.. it works for me
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
dynamic ResponseObj = new JObject();
ResponseObj.Message = "Authorization has been denied for this request.";
string jsonString = Newtonsoft.Json.JsonConvert.SerializeObject(ResponseObj);
actionContext.Response = new HttpResponseMessage
{
StatusCode = HttpStatusCode.Unauthorized,
Content = new StringContent(jsonString, System.Text.Encoding.UTF8,"application/json")
};
}

Remove/add MessageHandlers at runtime

How can I add or remove message handlers at runtime?
The following example does not work:
var logHandler = GlobalConfiguration.Configuration.MessageHandlers.FirstOrDefault(a => a.GetType() == typeof(ApiLogHandler));
if (logHandler == null)
{
GlobalConfiguration.Configuration.MessageHandlers.Add(new ApiLogHandler());
}
else
{
GlobalConfiguration.Configuration.MessageHandlers.Remove(logHandler);
}
The message handler is added to the list,
but it is not called in the the next requests...
I would inject a MessageHandler into the configuration at startup that is built specifically to have a dynamic list of inner message handlers, and change the interface they use from DelegatingHandler to a custom one, e.g.
public interface ICustomMessageHandler
{
Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken);
}
After this, you can create a standard MessageHandler that contains a list of inner handlers:
public class DynamicMessageHandler : DelegatingHandler
{
public List<ICustomMessageHandler> InnerHandlers { get; set; }
public DynamicMessageHandler()
{
InnerHandlers = new List<ICustomMessageHandler>();
}
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
foreach (var innerHandler in InnerHandlers)
{
await innerHandler.SendAsync(request, cancellationToken);
}
return await base.SendAsync(request, cancellationToken);
}
}
This way youshould be able to modify the list of InnerHandlers at runtime as long as you keep a single instance of DynamicMessageHandler around.

Resources