How to Secure ASP.NET Web API – Part 1–Where?

There are many different approaches to secure your ASP.NET Web API.  At the very least, you should leverage HTTPS/SSL/TLS. 

Here is my attempt to compare simple ways to secure Web API using some API key.  oAuth and OpenID are outside of the scope.  I will leave the bigger topic of encryptions (i.e. public/private keys and the data to encrypt/decrypt) to a later post.

Where should you put your code?

 

Pros

HTTP modules

· Runs earlier in the pipeline than HTTP Message Handlers

· Useful for authentication for both MVC and Web API

HTTP Message Handler

· Supports self-hosting

· Can be configured for all Web API routes or per-route.

· Have principal information

· Useful for authentication for Web API

· Run earlier than Authorization filters.

Authorization Filter (a type of Action Filters)

· Useful for authorization.

· Can be configured for all controllers, specific controllers, and specific controller actions.

In summary, HTTP Message Handler is a good choice, for performance reason.  If your authentication logic is controllers/actions specific, then use Authorization Filters.

 

Why not just put it inside Controllers?

I guess you can always call some custom authentication/authorization routines inside controllers, but then you are not taken advantages of asp.net pipeline.

The earlier in the pipeline you put the code, the better performance saving you get since a failed authentication request is handled and returned earlier.

 

 

References:

http://www.asp.net/web-api/overview/advanced/http-message-handlers

http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

http://jamiekurtz.com/2013/01/14/asp-net-web-api-security-basics/

http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/

http://codebetter.com/johnvpetersen/2012/04/04/moving-from-action-filters-to-message-handlers/

Advertisements

Deploy Database to Azure SQL Database

I was trying the new service tiers for Azure SQL Database (still in preview) at this point.  I wanted to test out “Basic” Edition.

Problem:

When I tried to do a web deploy from VS2013, it failed with error message:

“Failed to import target model <DBName>. Detailed message Unable to reconnect to database.”

Solution:

When I downgraded the Azure SQL Database Edition from “Basic” to “Web”.  The web database deployment succeeded.

image

Problem:

The schema deployed fine.  Now I want to deploy the data as well.  However, the VS 2013 project settings “Package/Publish SQL” seem to be ignored and over ruled by the Web Deploy settings.  The Web Deploy will only compare and update schema.

Solution:

After failing to find a quick way to do this, I resorted back to the good ole SQL Server import and Export & VS 2013 Data Compare to copy data from LocalDb to Azure SQL Database

Note:

I will switch back to “Basic” edition because I want to verify the following features:

  • Point-in-time Restore: Any point within 7 days”
  • Security: Auditing
  • Disaster Recovery: Geo-restore, restore to any Azure region