0

The very first part of this answer on another question explains how an existing MVC site can very quickly have added to it the ability to expose its data (e.g. to a Winforms app requesting the data), all for a couple of lines of code (without having to convert to WCF/Web API and add extra layers - our project is pretty small and basic):

public JsonResult GetCategoryList()
{
    var list = //return list
    return Json(list, JsonRequestBehavior.AllowGet);
}

So we've tested the above as a quick and easy solution and it's clearly very nearly working because in the stream we get the html source for our MVC app's login.

And indeed if we add the AllowAnonymous annotation we do get the Json stream that we're after.

However we don't want to allow anonymous, we want some protection. Have tried adding:

   Dim nc As New NetworkCredential("username", "password")
   request.Credentials = nc

just before firing request.GetResponse but that isn't working (this may be completely ignorant but it seemed worth a shot). When I say it isn't working, I mean we go back to getting the login page's html source in the stream.

So how to allow the winforms app to incude some kind of authentication (which will work) with its request for the data? As I say, getting the data is working (proved by AllowAnonymous).

Community
  • 1
  • 1
hawbsl
  • 15,313
  • 25
  • 73
  • 114

1 Answers1

1

You should separate the authentication code for the web application (the one returning the login) from the one that you are exposing the API.

Looks like you are using forms authentication for the WebSite part and you should keep it that way. However, in the public API GetCategoryList you should either implement a different authentication strategy with ActionFilters for example.

tucaz
  • 6,524
  • 6
  • 37
  • 60
  • if I use an ActionFilter annotate the GetCategoryList action with, say, isnt that still expecting forms authentication? how does that change its willingness to "listen" to the request from winforms app? – hawbsl Sep 26 '13 at 16:41
  • You can disable FormsAuth for the controllers location by either using the tag in the web.config or create another web.config in the controllers folder like explained here (http://stackoverflow.com/questions/3750917/mvc-authentication-bypass-for-a-single-controller-action) so it won't go through FormsAuth in those routes or you can put the Api Controllers in another project in another website/application in IIS. – tucaz Sep 26 '13 at 17:07