stackoom
  简体   繁体   中英

Limit access to web api 2 controller in dotnet core mvc project

 原文  2017-12-06 21:56:50       c#/ asp.net-mvc/ azure/ asp.net-web-api/ asp.net-core

Question

what is the best way to limit access to a webapi 2 controller within a MVC project to only the hosted App Service?

I have created a endpoint which my MVC client is accessing. The entire application is published to azure through an app service. How can I now protect the endpoint from being called outside of the application context?

2 answers

solution1
 1 ACCPTED  2017-12-08 16:01:48

Based on your comments you should consider restructuring your solution.

  • Consider moving your Web API to an independent project. This way your API is decoupled from your MVC app and you can deploy and scale it,if required, independently.
  • Move the MVC client app in it's own independent project

  • For authentication I would consider implementing an authorization server (again in an independent project) that issues tokens to the client (in your case the MVC app) and the client would then access the API using this token. For implementing an auth server you have a couple of options

    • Use the ClientCredentials grant using IdentityServer4
    • Use the OWIN OAuth middleware to implement your auth server with ClientCredentials grant
    • There are other Oauth implementations that you could use too.

    Having a dedicated authorization server clearly separates out the identity responsibility allowing you to control access for other future clients and possibly restrict access to only certain endpoints (aka scopes).

solution2
 0  2017-12-07 00:39:52

You could use an API key in the request's header to filter out unwanted request. 1. Implement a customer authorization attribute (AuthorizationFilter) class. 

    [HttpPost, AuthorizationFilter]
    public CustomerInfo GetCustomerInfo(CustomerInfoRequest request)
    {
        return Business.GetCustomerInfo(request);
    }

2. In your controller class 

    public override void OnAuthorization(HttpActionContext ctx)
    {            
        if (!VerifyHeaders(ctx))
        {
            ctx.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            return;
        }

        base.OnAuthorization(ctx);
    }

    private bool VerifyHeaders(HttpActionContext ctx)
    {
        IEnumerable<string> values = new List<string>();

        //Read the API key from the request header
        ctx.Request.Headers.TryGetValues("ApiKey", out values);
        var apiKey = values?.FirstOrDefault();        

        return CheckApiKey(apiKey);
    }

    private bool CheckApiKey(string apiKey)
    {
        //Verification is done here
        return true;
    }
  1. The request should contain API key which will be verified by "OnAuthorization" method.

在此处输入图片说明

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Download file from dotnet Core Web API using POST in ASP.NET MVC 5 controller Issue with POST method of Auto generated Controller for Dotnet Web API project How can I access the certificate(.pfx) attached to https post request from postman, inside a controller in dotnet core web api 3.0? Unable to hit Web API 2 controller in MVC Project Dotnet Core 3 MVC authentication to Core API Create a Url in Web Api controller that points to MVC project controller Dotnet Core API - Get the URL of a controller method Cannot access cookies set by Web Api Controller in MVC Controller CLI “dotnet ef” is not working for a brand new dotnet core web project How to add action to controller in api mvc project net core 3.1
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM