60

Using the new ASP.NET Web API beta. I can not seem to get the suggested method of authenticating users, to work. Where the suggested approach seems to be, to add the [Authorize] filter to the API controllers. For example:

[Authorize] 
public IEnumerable<Item> Get()
{
    return itemsService.GetItems();
}

This does not work as intended though. When requesting the resource, you get redirected to a login form. Which is not very suitable for a RESTful webapi.

How should I proceed with this? Will it work differently in future versions?, or should I fall back to implementing my own action filter?

Improve this question
1

7 Answers 7

Reset to default
96

Double check that you are using the System.Web.Http.AuthorizeAttribute and not the System.Web.Mvc.AuthorizeAttribute. This bit me before. I know the WebAPI team is trying to pull everything together so that it is familiar to MVC users, but I think somethings are needlessly confusing.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yeah I think this is the preferred method, didn't realize they introduced an entirely new attribute class hierarchy, I agree, confusing...
Yea, they should preface every "Hello World" example with a disclaimer about the different namespace for MVC vs Web Api
Yea, <superDuperBold>System.Web.Http</superDuperBold> != <superDuperBold>System.Web.Mvc</superDuperBold>
Great, glad I've found this after an hour of searching everywhere around.
4

Set your authentication mode to None:

<authentication mode="None" />

None Specifies no authentication. Your application expects only anonymous users or the application provides its own authentication.

http://msdn.microsoft.com/en-us/library/532aee0e.aspx

Of course then you have to provide some sort of authentication via headers or tokens or something. You could also specify Windows and use the built in auth via headers.

If this site is mixed between API and actual pages that do need the Forms setting, then you will need to write your own handling.

All the attribute does is return an HttpUnauthorizedResult instance, the redirection is done outside of the attribute, so its not the problem, its your authentication provider.

Improve this answer

Comments

2

You are being redirected to login page because forms authentication module does this automatically. To get rid of that behavior disable forms authentication as suggested by Paul. If you want to use more REST friendly approach you should consider implementing HTTP authorization support. Take a look at this blog post http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/

Improve this answer

Comments

1

ASP.NET 5 Introduced the new Microsoft.AspNet.Authorization System which can secure both MVC and Web API controllers.

For more see my related answer here.

Update:

At that time 2 years ago it was Microsoft.AspNetCore.Authorization.

As @Chris Haines pointed out. now it resides on Microsoft.AspNetCore.Authorization.

From .NET core 1.0 to 2.0 many namespaces have been moved i think. And spread functionality between .net classic and core was obscure. That's why Microsoft introduced the .net standard.

.net standard

Improve this answer

2 Comments

I think you mean Microsoft.AspNetCore.Authorization?
At that time 2 yers ago it was Microsoft.AspNetCore.Authorization.As you can see . nuget.org/packages/Microsoft.AspNet.Authorization From .NET core 1.0 to 2.0 many namespaces have been moved i think. And spread functionality between .net classic and core was obscure. I think that's why microsoft introduced the .net standard. learn.microsoft.com/en-us/dotnet/standard/net-standard
0

Also, look at my answer for: How to secure an ASP.NET Web API

There is a NuGet package I have created which you can use for convenience.

Improve this answer

Comments

0

If you're using a Role, make sure you have it spelled correctly :

If your role is called 'Administrator' then this - for instance will not work :

    [System.Web.Http.Authorize(Roles = "Administator")]

Neither will this :

    [System.Web.Http.Authorize(Roles = "Administrators")]

Oops...

Improve this answer

Comments

0 
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Produces("application/json")]
[Route("api/[controller]")]
public class CitiesController : Controller
{
        [HttpGet("[action]")]
        public IActionResult Get(long cityId) => Ok(Mapper.Map<City, CityDTO>(director.UnitOfWork.Cities.Get(cityId)));
}

Use

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

Filter with authentication type

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.