How to Secure ASP.NET Web API – Part 1–Where?

There are many different approaches to secure your ASP.NET Web API.  At the very least, you should leverage HTTPS/SSL/TLS. 

Here is my attempt to compare simple ways to secure Web API using some API key.  oAuth and OpenID are outside of the scope.  I will leave the bigger topic of encryptions (i.e. public/private keys and the data to encrypt/decrypt) to a later post.

Where should you put your code?



HTTP modules

· Runs earlier in the pipeline than HTTP Message Handlers

· Useful for authentication for both MVC and Web API

HTTP Message Handler

· Supports self-hosting

· Can be configured for all Web API routes or per-route.

· Have principal information

· Useful for authentication for Web API

· Run earlier than Authorization filters.

Authorization Filter (a type of Action Filters)

· Useful for authorization.

· Can be configured for all controllers, specific controllers, and specific controller actions.

In summary, HTTP Message Handler is a good choice, for performance reason.  If your authentication logic is controllers/actions specific, then use Authorization Filters.


Why not just put it inside Controllers?

I guess you can always call some custom authentication/authorization routines inside controllers, but then you are not taken advantages of pipeline.

The earlier in the pipeline you put the code, the better performance saving you get since a failed authentication request is handled and returned earlier.





Deploy Database to Azure SQL Database

I was trying the new service tiers for Azure SQL Database (still in preview) at this point.  I wanted to test out “Basic” Edition.


When I tried to do a web deploy from VS2013, it failed with error message:

“Failed to import target model <DBName>. Detailed message Unable to reconnect to database.”


When I downgraded the Azure SQL Database Edition from “Basic” to “Web”.  The web database deployment succeeded.



The schema deployed fine.  Now I want to deploy the data as well.  However, the VS 2013 project settings “Package/Publish SQL” seem to be ignored and over ruled by the Web Deploy settings.  The Web Deploy will only compare and update schema.


After failing to find a quick way to do this, I resorted back to the good ole SQL Server import and Export & VS 2013 Data Compare to copy data from LocalDb to Azure SQL Database


I will switch back to “Basic” edition because I want to verify the following features:

  • Point-in-time Restore: Any point within 7 days”
  • Security: Auditing
  • Disaster Recovery: Geo-restore, restore to any Azure region