Let's say that I have a ASP.NET application that have some APIs.
For example,
{HostName}/api/a/*
{HostName}/api/b/*
Now I want to disable all {HostName}/api/a/* APIs(But remain /api/b/*). When client call /api/a/* APIs, they get a 404 error. When client call /api/b/* APIs, response normally.
Is there any way to do this in c# ASP.NET application?
There are several approaches a can take to disable certain actions or routes as mentioned in the comments.
1.) [NonAction] attribute
The [NonAction] attribute from System.Web.Http can be applied for ApiController actions. If such a method is called then the server returns the HTTP Code 404 (Method not found). The attribute can only be applied on method level and not on classes. So every single method has to be decorated with this attribute.
2.) Writing a custom action filter
This approach gives you more control. Your filter can be applied on class level and you can implement some more advanced logic in which conditions your controller is accessible or not (depending on dates, licences, feature toggles and so forth)
public class MyNoActionFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
if (IfDisabledLogic(actionContext))
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.NotFound);
}
else
base.OnActionExecuting(actionContext);
}
}
[MyNoActionFilter]
public class ValuesController : ApiController
{
// web api controller logic...
}
3.) Route Configuration in WebApiConfig.cs
You can add a web api route for the inaccessible controllers in the WebApiConfig and map this route to a non existant controller. Then the framework takes this route, does not find the controller and sends a 404 return code to the client. It is important to place these routes at the beginning in order to avoid undesired execution.
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
config.Routes.MapHttpRoute(
name: "DisabledApi",
routeTemplate: "api/b/{id}",
defaults: new { controller = "DoesNotExist", id = RouteParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
Because you stated not to use attributes because of the amount of work I recommend the third option, because the route configuration defines a single place for this. And if you want to enable the route in the future again you have to remove only one route definition.
actionContext.Response you should set actionContext.Result so that it returns immediately; i.e: actionContext.Result = new NotFoundObjectResult(actionContext.ModelState);Might be a hack, but works fine for me:
Changing scope of the Controller from public to internal hides all actions from that Controller class. So:
internal class AController : ApiController
{
[...]
}
Requests to http://host/api/a/* then will fail with "No type was found that matches the controller named 'a'."
Feature flags were built for this purpose
To enable this in your app:
Add the Microsoft.FeatureManagement.AspNetCore nuget package to your project.
Add the feature management service to your builder in Program.cs: builder.Services.AddFeatureManagement();
Add settings for the features you want to turn on and off in appsettings.json:
{ "FeatureManagement": {
"AdminAccess": true,
"AnonymousAccess": false
}
Add the FeatureGate decorator to the controllers/actions you want to control access to: [FeatureGate("AnonymousAccess")]
DisableFunctionalityActionFilterand assign it to a controller / area / action, which must be disabled.NonActionattribute? To prevent a method from getting invoked as an action, use the NonAction attribute. This signals to the framework that the method is not an action, even if it would otherwise match the routing rules.