Reputation: 1618
ASP.NET MVC 3 Restrict API Access
I have an ASP.NET MVC 3 application with a self hosted ServiceStack API that provides the data. After I added the API location path in Web.Config the API is callable by my code and works well:
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
The problem I have is that when the application is running the API is accessible via the browser - I can simply type http:\localhost:xxxx\api into the browser. What would be a good approach to restricting access to my self hosted API so that I can continue to call it within the MVC 3 application but prevent users from accessing the API via the browser?
Note that at some point in the future I will want to expose some areas of the API to make them publicly accessible.
Upvotes: 2
Views: 993
Answers (2)
Reputation: 143284
Note: the Authorization and Authentication support built-into ServiceStack is independent and decoupled from ASP.NET's Authentication.
You can generically restrict access to all your services by inheriting from a base class which contains one or more of:
- [Authenticate] - Only allow access to Authenticated users
- [RequiredRole] - Only allow access to users in the specified roles
- [RequiredPermission] - Only allow access to users with the specified permissions
Note: These attributes also work in your MVC Controllers that inherit from ServiceStackController or Controllers marked with the [ExecuteServiceStackFilters] attribute.
You can inspect a MVC + ServiceStack demo that uses these attributes in the Social Bootstrap Api example project.
Another way you can generically restrict access is by registering a global Request filter which get executed on every request.
Upvotes: 2
Reputation: 1038710
One possibility is to use a specific user for accessing the API:
<location path="api">
<system.web>
<authorization>
<allow users="api_user" />
</authorization>
</system.web>
</location>
Then configure your API to be accessible only by the api_user. This way any other authenticated user in the browser won't be able to access this API. In your ASP.NET MVC 3 application you could create an authentication ticket with the given user before sending an HTTP request to the API.
Also notice that using the <location> tag in web.config to control authorization in ASP.NET MVC application is a very bad idea. The reason for this is that you are relying on some url (api). But ASP.NET MVC works with routes. So you should be using the [Authorize] or a custom authorization attribute to decorate the corresponding controllers/actions that you want to protect. This way your authorization is no longer dependent on your routing configuration.
Another possibility is to use a custom authoriza attribute and implement an access token.
Upvotes: 2
Related Questions
- How to make a .NET Web Api private to my application only
- How to restrict access to single API method with IP security or some other option
- Securing External API EndPoint for ASP.NET Web API Service (ASP.NET 4.6)
- Limit access to web api 2 controller in dotnet core mvc project
- allow mvc5 c# webapi so that only my app can access it
- How to protect a Web API using ASP.NET 5 MVC 6
- Web security for 'special' API
- Simplest security for an ASP.NET Web API in MVC 4 to prevent external users from accessing
- Asp.Net MVC4 stopping people requesting or posting data to my API
- Secure MVC4 c# webapi so that only my app can access it