2

I've been following a series of videos on how to create a web API using MVC 4. The sixth video describes the authorization process, but it is both too complex for what I want, and it somehow redirects to a form (which makes no sense to me, but then I'm new to this stuff).

I've used API's from other sites, and they usually use one of 2 methods:

  1. a token in the url (http://myurl/api/service/?token=[bunch of characters here]

  2. a username or password (or token) in the header

I'm leaning towards the second method, as it means I wouldn't have to add a parameter to each of my methods.

If I use this approach, do I need to add code to the beginning of each method to check the headers (request.headers?) for username/password (then find them in our database and see if they have permission to access this method)...Or is there a simpler way of doing this?

Improve this question
2
  • 2
    Give more thought to your tagging, things like web and api are useless. You had used asp which resolves to asp-classic. Hence your original tagging got your question no where near anybody who might help you. Commented Jun 7, 2012 at 14:39
  • didn't notice the asp-classic...thanks for the advice Commented Jun 8, 2012 at 13:08

1 Answer 1

Reset to default
4

You can mark your Controller class with attribute which is derived from AthorizationFilterAttribute. http://msdn.microsoft.com/en-us/library/system.web.http.filters.authorizationfilterattribute(v=vs.108).aspx

In this case you will not need to write authorization checks in every method, but only in one place. This approach is well described under the following link:

http://www.tugberkugurlu.com/archive/api-key-authorization-through-query-string-in-asp-net-web-api-authorizationfilterattribute

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I checked out the second link and its almost exactly what I'm looking for (though slightly more robust than I need it to be). I didn't want to install it as a package (not too familiar with C#) so I decided to copy the parts of the package that I needed and add them to my solution (not very elegant)...ran across a major problem...Common library was removed ...and therefore Error is inaccessible? what do I use instead?
To be clear, I'm getting the error "'System.Web.Http.Error' is inaccessible due to its protection level"...so, it is now in System.Web.Http (not Common) but it is internal...what should I be using instead?
Don't you want just copy dlls from the package and reference without modification. The dlls are: System.Web.Http.dll, System.Web.Http.Common.dll, System.Web.Http.WebHost.dll, System.Json.dll, System.Net.Http.dll, System.Net.Http.Formatting.dll, System.Net.Http.WebRequest.dll
This probably exposes my ignorance, but I wanted to understand exactly what was happening, and there was a lot of stuff in Tugberk's code that I didn't understand...so I wrote some code myself..I was able to combine parts of Tugberk's Code with a tutorial on filters and make a basic authorization without the roles...just the apiKey (i'm now working on adding the roles...)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.