ASP.NET Web API and Authorization - asp.net-web-api

So I have an existing Windows Phone 7 app that uses my own authorization (player logs in with an alias and password and it verifies it against a db) going to an MVC web services.
Now I'm looking to move over to ASP.NET Web API and I'm a little confused as to how to add security for it?
I see there is the AuthorizeAttribute, but what do I need to do to allow them to be authorized?
Any guidance here would be appreciated.

AuthorizeAttribute is only checking against Thread.CurrentPrincipal to see if the user authorized to access the specified resource (in this case it is controller action) or not. It doesn't provide any type of authentication mechanism.
In your case, as you have username and password in place, you can do basic authentication. Best place to do this is inside a Message Handler. Here is an example: BasicAuthenticationHandler
I don't encourage you to use this as it is because there is no test behind this implementation but this should give you an idea. That class is an abstract class and when you set this as you base class for a message handler, you need to override the AuthenticateUser method and return IPrincipal. If the return value is null, that means user is not authenticated. If you provide an IPrincipal, that IPrincipal will be set and your AuthorizeAttribute can check against it.
You can, for instance, use GenericPrincipal class to create an IPrincipal. Assuming you are on ASP.NET host, you can register your authentication handler as below:
GlobalConfiguration.Configuration.MessageHandlers.Add(new MyAuthHandler());
To sum it up, do the authentication through a Message Handler somehow, no matter what type of authentication you use (Basic Auth, OAuth, etc.). And then, do the authorization through AuthorizeAttribute.
Also, Dominick Baier has a nice presentation on Securing ASP.NET Web
APIs and I recommend you to check that out.

maybe this will help you: Custom AuthorizeAttribute for Web API controllers

Related

WebApi Support Implict Flow (with roles) and Client Credential Grant

I have a situation I haven't run into yet and wondering if I need to write a custom authorize attribute to handle this situation or if there is something in the identity framework I should be using.
I need to support both Implicit flow (mostly for swaggerUI integration) and client credential grant in my webapi. The data I'm working with is sensitive and therefore I don't want anyone who discovers my swagger page and can authenticate with my AAD instance (through an implicit flow) to be able to consume my data. I want to restrict the my api to look for roles in the jwt IF THEY ARE PRESENT.
On the flip side my WebApi is most likely going to be consumed by other services. So I need to support client credential flow. Obviously the tokens issued through the client credentials grant will not have a role claim, so I can't look for roles when I authorize these requests.
I'm basically looking for something like this:
[Authorize(Roles = "swagger_admin", Optional=true)]
public class UserController : ApiController
{
But I'm not seeing something logically equivalant, and before I go out and write a custom authorize attribute I want to know what others have done here.
Thanks!

Mixing Windows authentication and claimsPrincipal in mvc

I have a MVC project with windows authentication and i want to use Claims.
I see that claims inherit from IPrincipal. I think that used for authentication reasons, because in every request before code will be executed validate users credentials.
I this possible? Where have to define claims?

Spring Security Authorize by authentication method

How can I limit the access to a method, base on the authentication method, in Sprint Security?
For example, I want two methods of authentication to my service: basic and LDAP. But for one method in my service I only want access to be allowed if the user authenticated using basic-authirization.
I know I can add Authentication to the method signature and then check if it's an instance of UsernamePasswordAuthenticationToken, but that seems a but ugly and not really using the full power of the framework.
I guess I can do the same with PreAuthorize.
Another ugly way to do this is to add a rule to every authenticated user that tells the authentication method. I can the authorize base on the role. Again, ugly
But is there a more out-of-the-box/Springy way of doing this?

Programmatic authentication

I am using Spring Security in my application.
I have all the pages secured. But couple of URL needs to be available both for system user and anonymous user.
But anonymous user should not have direct access to the URLs. He gets a link with unique token and gets access to some URLS if this token is valid.
What I want to do is:
In controller check if token in URL is valid
If it is - authenticate user in the system programmatically using some predefined login and password. This user will be configured to have authority to access necessary URLs.
The question is:
Is this a correct approach to perform user authentication programatically with some roles in controller if token is valid? Is this safe approach?
Security is an aspect. An aspect can be decoupled from your main code (controller) to reduce code duplication and improve flexibility. Move authentication code from controller to new filter (be sure that this filter executed after spring security filter chain). You will be able secure new URLs via web.xml (zero lines of code).
I think the better way to do this is:
move the shared operations into service layer
define a controller for those anonymous user and make its authority
as anonymous
check the validity of token in this controller
if valid, call some services method to perform the operations.
render the result in this controller

Using AuthorizeAttribute in ASP.NET Web API

I have used the [Authorize] attribute in an ASP.NET Web API method
[Authorize]
public IEnumerable<User> GetAllUsers()
From the application I can access this method without a problem as my user is already authenticated. However, is there any way that I can specify the username, password to this method when calling so that I can implement a REST API? This is when calling from a standalone application or the browser.
I didn't entirely understand your question but System.Web.Http.AuthorizeAttribute checks against Thread.CurrentPrincipal to see if the user is authorized or not.
You can specifically give user permissions if you want as below:
[Authorize(Users = "User1")]
public IEnumerable<User> GetAllUsers()
But the Authentication process is entirely up to you. I would recommend authenticating the user through a message handler and then populating the Thread.CurrentPrincipal there. Then, use the AuthorizeAttribute as you see fit for your application.

Resources