2

I have an ASP.NET MVC 3 application with a self hosted ServiceStack API that provides the data. After I added the API location path in Web.Config the API is callable by my code and works well:

<location path="api">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

The problem I have is that when the application is running the API is accessible via the browser - I can simply type http:\localhost:xxxx\api into the browser. What would be a good approach to restricting access to my self hosted API so that I can continue to call it within the MVC 3 application but prevent users from accessing the API via the browser?

Note that at some point in the future I will want to expose some areas of the API to make them publicly accessible.

Improve this question

2 Answers 2

Reset to default
2

Note: the Authorization and Authentication support built-into ServiceStack is independent and decoupled from ASP.NET's Authentication.

You can generically restrict access to all your services by inheriting from a base class which contains one or more of:

  • [Authenticate] - Only allow access to Authenticated users
  • [RequiredRole] - Only allow access to users in the specified roles
  • [RequiredPermission] - Only allow access to users with the specified permissions

Note: These attributes also work in your MVC Controllers that inherit from ServiceStackController or Controllers marked with the [ExecuteServiceStackFilters] attribute.

You can inspect a MVC + ServiceStack demo that uses these attributes in the Social Bootstrap Api example project.

Another way you can generically restrict access is by registering a global Request filter which get executed on every request.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

One possibility is to use a specific user for accessing the API:

<location path="api">
    <system.web>
        <authorization>
            <allow users="api_user" />
        </authorization>
    </system.web>
</location>

Then configure your API to be accessible only by the api_user. This way any other authenticated user in the browser won't be able to access this API. In your ASP.NET MVC 3 application you could create an authentication ticket with the given user before sending an HTTP request to the API.

Also notice that using the <location> tag in web.config to control authorization in ASP.NET MVC application is a very bad idea. The reason for this is that you are relying on some url (api). But ASP.NET MVC works with routes. So you should be using the [Authorize] or a custom authorization attribute to decorate the corresponding controllers/actions that you want to protect. This way your authorization is no longer dependent on your routing configuration.

Another possibility is to use a custom authoriza attribute and implement an access token.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.