CODEWITHSUNDEEP
asp.net-mvc-4asp.net-web-api
Omtechguy
Omtechguy

Reputation: 3651

WEBAPI ActionContext Request.Properties.Add for store sensitive information

I would like to pass information from the action filter (database) to the Action function.

Is it secure to use ActionContext Request.Properties.Add to store the data?

is there any chance that the information will be seen by the WEBAPI client or its safe as it safe to store information in the Cache\Session?

Is it a better way to do it?

Upvotes: 5

Views: 3468

Answers (1)

Yishai Galatzer
Yishai Galatzer

Reputation: 8862

The client will not see request properties unless you explicitly serialize them. They completely remain on the server side.

To answer your followup question here are two other ways to do it. There is no "Best" way per se. It all depends on how far you want the information to flow, and how generic you want your filter to be. My personal preference is using the controller object, but again it is just a preference.

For the sample here is a simple values controller and a POCO class:

[MyActionfilter]
public class ValuesController : ApiController
{
    public string Foo { get; set; }

    public User Get(User user)
    {
        if (Foo != null && user != null)
        {
            user.FamilyName = Foo;
        }

        return user;
    }
}


public class User
{
    public string FirstName { get; set; }
    public string FamilyName { get; set; }
}

The action filter below is naively implementing access to the controller object or the method parameters. Note that it's up to you to either apply the filter sparingly or do type checks/dictionary checks.

public class MyActionfilter : ActionFilterAttribute
{
    public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        controller = actionContext.ControllerContext.Controller;

        // Not safe unless applied only to controllers deriving
        // from ValuesController
        ((ValuesController)controller).Foo = "From filter";

        // Not safe unless you know the user is on the signature
        // of the action method.
        actionContext.ActionArguments["user"] = new User()
        {
            FirstName = "From filter"
        };
    }
}

Upvotes: 5

Related Questions