How do Implement authorization in MVC4 Web API?

Question

I Had create a MVC4 Web API. But People without authorization also can use it. Example: people type in address bar "/api/product/1" also can get the result. So, How to implement Security and allow authorize person to use the WEB API only ? How to give authorize to the person that allow login to web api ?

http://stackoverflow.com/questions/14365373/asp-net-mvc4-and-web-api-authentication-authorization-windows-8-and-web — Marthijn, Dec 06 '13 at 08:36
What type of authorization are you look for? Credentials based? Is your API public? If you are looking to do server-to-server authentication you could look at HMAC based authentication which is quite awesome. This answer speaks about a WebAPI implementation: http://stackoverflow.com/a/11782361/350933 — ctrlplusb, Dec 06 '13 at 09:43

Sentinel · Answer 1 · 2013-12-06T10:02:00.140

0

More info about Authentication and Authorization

Simply adding the annotation to your controller will do:

// Require authorization for all actions on the controller.
[Authorize]
public class ValuesController : ApiController
{
    public HttpResponseMessage Get(int id) { ... }
    public HttpResponseMessage Post() { ... }
}

// Restrict by user:
[Authorize(Users="Alice,Bob")]
public class ValuesController : ApiController
{
}

// Restrict by role:
[Authorize(Roles="Administrators")]
public class ValuesController : ApiController
{
}

edited Dec 06 '13 at 10:02

answered Dec 06 '13 at 08:35

Sentinel

197
8

how to authenticate user to gv the authorize to the user. – Calvin Pang Dec 06 '13 at 09:06
I'm not sure what you are asking here but I suppose you want a way to authenticate a user or role, those are in the article link, I'll update the answer – Sentinel Dec 06 '13 at 10:00

score 0 · Answer 2 · answered Dec 07 '13 at 05:43

you can use MVC4 AspNet.identiy.Usermanager and Microsoft.Owin.Security to authenticate user..

private IAuthenticationManager AuthenticationManager
        {
            get
            {
                return HttpContext.Current.GetOwinContext().Authentication;
            }
        }


public HttpResponseMessage Login(string username, string password)
        {
            UserManager<TenantUser> userManager=new new UserManager<TenantUser>(new UserStore<TenantUser>(YOUR DBCONTEXT));
            var user = UserManager.Find(username, password);
            if (user != null)
            {
               AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicatioCookie);
               ClaimsIdentity identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
               AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = true }, identity);
            }
                else
                    new HttpResponseMessage(HttpStatusCode.Forbidden) { Content = new ObjectContent<object>(new { Error = "You are not authorized to perform this action" }, Configuration.Formatters.JsonFormatter) };
       }

it is working for me....

How do Implement authorization in MVC4 Web API?

2 Answers2