Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET Web API private controllers

Tags:

asp.net

asp.net-mvc

web-services

asp.net-web-api

I have an ASP.NET Web API project with two controllers, one of which I want to be publicly addressable over the internet and the other which I only want to be called internally over the network.

The best solution that I can come up with so far is to have a route template for public controllers and a template for internal: -

routeTemplate: "api/{controller}/{id}"

routeTemplate: "privateapi/{controller}/{id}"

That way I can configure IIS to block requests to the ‘privateapi’ route.

Is that the best way to handle this scenario?

Thanks.

like image 563
Elenor Platz Avatar asked Jun 26 '13 12:06

Elenor Platz

1 Answers

The problem with controlling access MVC and WebAPI in IIS is that routing can sometimes make it difficult to see exactly which routes are ending up at your controller. It is perfectly valid (and in many cases preferred) to restrict access in the code as well.

To do this in code, you can do something like the following which uses a custom AuthorizeAttribute to filter out unauthorized users.

public class InternalAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        if (actionContext.Request.Properties.ContainsKey("MS_HttpContext"))
        {
            var ipAddress =
                ((HttpContextWrapper) actionContext.Request.Properties["MS_HttpContext"]).Request.UserHostAddress;
            if (IsPrivateAddress(ipAddress))
            {
                return;
            }
        }

        actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Forbidden");
    }

    private bool IsPrivateAddress(string ipAddress)
    {
        // todo: verify ip address is in internal or otherwise whitelisted
    }
}

You can then annotate your controller and have the filter applied on all actions in your controller.

[InternalAuthorize]
public class PrivateController : ApiController
{
}

Note: if the information/actions from this controller is particularly sensitive, you may want to deploy a version of your application that exposes this private api and blocks all traffic non from your whitelist rather than relying on application logic to keep bad guys out.

like image 50
drch Avatar answered Nov 15 '22 08:11

drch
Sign in to Comment

Related questions

how to handle the error message: Session state is not available in this context
Structuring button click methods to avoid code repetition
Get ID of item in ASP.NET Listview on button click
ASP.NET MVC - Update Pre-compiled Razor View file Live in Production
Using resource files (.resx) in javascript
set property of master page from content page and get that property value from another content page in asp.net
is there any design pattern for login?
How to update JavaScript with a value from web.config file in an ASP.NET MVC4 Razor project?
Web.config in virtual directory is not overriding parent website's Web.config
Translating views with HotTowel (Durandal framework) + VS2012
Render Partial in WebPages without using MVC
Converting an ASP.NET Website that has C# and VB to a Web Application
ASP.NET MVC 4, multiple models in one view? [duplicate]
ReportViewer RDLC - Azure Websites Error 80004005
Why facebook says my Image url is invalid?
Accessing a value in a radGrid column
asp.net mvc 3 c# post array of variables
Changing web essentials output location for compiled less files
Exception: Unable to generate etag from dependencies
asp.net bind a list to a gridview

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!