Hi,
I was wondering how we could implement security in web API, I wanted to send JSON data only to my desired website(s). Therefore, I decided to create a custom Authorize Attribute in C# which will authorize any request and will help in implementing security for WEB API.
First we will create a class like below
public class ApiAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
{
private string _responseReason = "";
public bool ByPassAuthorization { get; set; }
List<string> allowedWebsites = new List<string>();
public ApiAuthorizeAttribute()
{
//List of authorized websites
allowedWebsites.Add("localhost");
allowedWebsites.Add("dev.test.com");
allowedWebsites.Add("staging.test.com");
allowedWebsites.Add("new-test.test.com");
allowedWebsites.Add("test.com");
}
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
if (!string.IsNullOrEmpty(_responseReason))
actionContext.Response.ReasonPhrase = _responseReason;
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
//checking against our custom table goes here
if (!this.IsValidRequest(actionContext))
{
this.HandleUnauthorizedRequest(actionContext);
_responseReason = "Access Denied";
return false;
}
return true;
//return base.IsAuthorized(actionContext);
}
public override void OnAuthorization(HttpActionContext actionContext)
{
//logic that will run before even authorizing the customer / user. if this logic fails
// then the user checking against our custom database table will not processed.
// you can skip this if you don't have such requirements and directly call
base.OnAuthorization(actionContext);
}
public bool IsValidRequest(HttpActionContext actionContext)
{
//Check if a valid api page is requested
/*var apiAttributes = GetApiAuthorizeAttributes(actionContext.ActionDescriptor);
if (apiAttributes != null && apiAttributes.Any())
return true;
return false;*/
string url = HttpContext.Current.Request.UrlReferrer.Host;
bool isAllowed=allowedWebsites.Contains(url);
return isAllowed;
}
}
Secondly, We have to implement it see how its done below
[HttpGet]
[ApiAuthorizeAttribute]
[ActionName("GetData")]
public List<DataMaster> GetData()
{
//your code goes here..
}
------------------
In case of webforms we have to use global.asax file to achieve the same result. Create a function in global.asax for ex.
protected bool CheckRequest()
{
List<string> allowedWebsites = new List<string>();
allowedWebsites.Add("test");
allowedWebsites.Add("localhost");
if (Request.Url != null)
{
string requestfrom = Request.Url.GetLeftPart(UriPartial.Authority);
requestfrom = requestfrom.Substring(requestfrom.IndexOf('/') + 2);
requestfrom = requestfrom.Substring(0,requestfrom.IndexOf(':'));
bool isAllowed = allowedWebsites.Contains(requestfrom);
return isAllowed;
}
else
{
return true;
}
}
Then in Application_BeginRequest event in global .asax do this:
protected void Application_BeginRequest(Object sender, EventArgs e)
{
if (!CheckRequest())
{
Response.Write("<center><h1>A suspicious activity has been detected, Your IP has been recorded for further investigation.</h1></center>");
Response.End();
}
}
Thats it!!
I was wondering how we could implement security in web API, I wanted to send JSON data only to my desired website(s). Therefore, I decided to create a custom Authorize Attribute in C# which will authorize any request and will help in implementing security for WEB API.
First we will create a class like below
public class ApiAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
{
private string _responseReason = "";
public bool ByPassAuthorization { get; set; }
List<string> allowedWebsites = new List<string>();
public ApiAuthorizeAttribute()
{
//List of authorized websites
allowedWebsites.Add("localhost");
allowedWebsites.Add("dev.test.com");
allowedWebsites.Add("staging.test.com");
allowedWebsites.Add("new-test.test.com");
allowedWebsites.Add("test.com");
}
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
if (!string.IsNullOrEmpty(_responseReason))
actionContext.Response.ReasonPhrase = _responseReason;
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
//checking against our custom table goes here
if (!this.IsValidRequest(actionContext))
{
this.HandleUnauthorizedRequest(actionContext);
_responseReason = "Access Denied";
return false;
}
return true;
//return base.IsAuthorized(actionContext);
}
public override void OnAuthorization(HttpActionContext actionContext)
{
//logic that will run before even authorizing the customer / user. if this logic fails
// then the user checking against our custom database table will not processed.
// you can skip this if you don't have such requirements and directly call
base.OnAuthorization(actionContext);
}
public bool IsValidRequest(HttpActionContext actionContext)
{
//Check if a valid api page is requested
/*var apiAttributes = GetApiAuthorizeAttributes(actionContext.ActionDescriptor);
if (apiAttributes != null && apiAttributes.Any())
return true;
return false;*/
string url = HttpContext.Current.Request.UrlReferrer.Host;
bool isAllowed=allowedWebsites.Contains(url);
return isAllowed;
}
}
Secondly, We have to implement it see how its done below
[HttpGet]
[ApiAuthorizeAttribute]
[ActionName("GetData")]
public List<DataMaster> GetData()
{
//your code goes here..
}
------------------
In case of webforms we have to use global.asax file to achieve the same result. Create a function in global.asax for ex.
protected bool CheckRequest()
{
List<string> allowedWebsites = new List<string>();
allowedWebsites.Add("test");
allowedWebsites.Add("localhost");
if (Request.Url != null)
{
string requestfrom = Request.Url.GetLeftPart(UriPartial.Authority);
requestfrom = requestfrom.Substring(requestfrom.IndexOf('/') + 2);
requestfrom = requestfrom.Substring(0,requestfrom.IndexOf(':'));
bool isAllowed = allowedWebsites.Contains(requestfrom);
return isAllowed;
}
else
{
return true;
}
}
Then in Application_BeginRequest event in global .asax do this:
protected void Application_BeginRequest(Object sender, EventArgs e)
{
if (!CheckRequest())
{
Response.Write("<center><h1>A suspicious activity has been detected, Your IP has been recorded for further investigation.</h1></center>");
Response.End();
}
}
Thats it!!
No comments:
Post a Comment
Comments are welcome, Please join me on my Linked In account
http://in.linkedin.com/pub/ritesh-tandon/21/644/33b