CODEWITHSUNDEEP
c#asp.net-web-apiorchardcms
user1492491
user1492491

Reputation:

Authorization through a ASP.NET Web API in Orchard CMS

Creating an ASP.NET Web API module in Orchard CMS is simple and straightforward. The following link explains how to do it and it works just fine. http://www.sebastienros.com/web-api-makes-it-in-orchard

However, the GET requests does not work when the WebAPI is running under Orchard and you use the [Authorize] attribute at the same time.

  [Authorize]
  public IEnumerable<string> Get()
  {
    return _moduleManager.GetUsers().Select(n => n.UserName);
  }

When I call this from the client

HttpClientHandler handler = new HttpClientHandler();
handler.Credentials = new NetworkCredential("user", "password");            
HttpClient client = new HttpClient(handler);
var response = await client.GetAsync("http://localhost:30321/OrchardLocal/api/MyWebAPIModule/Users");
Console.WriteLine(response);

the response variable returns to me the "Not found" HTML page from Orchard. Without the [Authorize], it returns a list of users.

Does Orchard have something already built-in to match the credentials with a registered user in Orchard? Or is there steps missing in the process?

Upvotes: 3

Views: 2077

Answers (2)

Paul Devenney
Paul Devenney

Reputation: 1309

I think the problem is that if you are making a call in code, you need to pass any cookies in the request.

A user is authenticated against the website by the use of the aspnetAuth (or FedAuth) cookie, which is provided by the browser. So if you called /OrchardLocal/api/MyWebAPIModule/Users from the browser you would expect this to work (you should see this happen in fiddler by looking at the headers/cookies).

However if you make a call in code you need to pass cookies/auth. header yourself. The call you have does not have any of this, thus it fails (you should see the absence of the cookie in fiddler for this request).

I'm not sure why you would call the api in this way from within your own module. Presumably the API controller calls a service that does the actual workload. You could call this service directly from your Driver/Action, still safe in the knowledge that your business logic is behind the service interface.

Upvotes: 0

pwnyexpress
pwnyexpress

Reputation: 1016

This blog post may be a helpful resource for a deeper understand ASP.NET's Authorize attribute. It might help to look in the web.config file to see what the authentication mode is set to.

Upvotes: 0

Related Questions