Best IT Recipes

ASP.NET Web API Authorization with Authorized Attribute

Use the new beta version of ASP.NET Web API. I cannot get the proposed user authentication method to work. Where the proposed approach seems to be proposed, add the [Authorize] filter to the API controllers. For example:

 [Authorize] public IEnumerable<Item> Get() { return itemsService.GetItems(); }

This does not work properly. When you request a resource, you are redirected to the login form. This is not very suitable for a RESTful website.

How can I continue this? Will it work differently in future versions ?, or should I return to implementing my own action filter?

+56
rest asp.net-web-api
Mar 02 '12 at 10:13
source share
7 answers

Double check that you are using System.Web.Http.AuthorizeAttribute and not System.Web.Mvc.AuthorizeAttribute . It bit me a bit. I know that the WebAPI team is trying to put everything together so that it is familiar to MVC users, but I think something is uselessly confusing.

+88
Mar 02 2018-12-12T00:
source share

Set authentication mode to No :

 <authentication mode="None" />

No Does not specify authentication. Only anonymous users are expected in your application, or the application provides its own authentication.

http://msdn.microsoft.com/en-us/library/532aee0e.aspx

Of course, you must provide some authentication through headers or tokens or something else. You can also specify Windows and use the built-in auth through the headers.

If this site is mixed between the API and the actual pages that need Forms customization, then you will need to write your own processing.

The whole attribute returns an instance of HttpUnauthorizedResult , the redirection is performed outside the attribute, therefore its not a problem, its authentication provider.

+4
Mar 02 2018-12-12T00:
source share

Finally, I found a solution at: ASP.NET MVC 4 WebAPI Authorization

This article shows how you can fix this problem.

+4
Mar 14 2018-12-14T00:
source share

You are redirected to the login page because the forms authentication module does this automatically. To get rid of this behavior, disable forms authentication, as suggested by Paul. If you want to use a more friendly REST approach, you should consider supporting HTTP authorization. Take a look at this blog post http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/

+2
May 21 '12 at 9:45
source share

ASP.NET 5 A new Microsoft.AspNet.Authorization support system has been introduced that can protect both MVC and web API controllers.

See my answer for more details.

Update:

At that time, 2 years ago it was Microsoft.AspNetCore.Authorization.

As Chris Haines remarked. Now it is on Microsoft.AspNetCore.Authorization.

From .NET core 1.0 to 2.0, many namespaces have been moved, I think. And the distribution of functionality between .net classic and the kernel was unclear. That's why Microsoft introduced the .net standard.

.NET standard

+1
Feb 15 '16 at 10:54
source share

Also, see my answer for: How to protect ASP.NET web API

There is a NuGet package that I created that you can use for convenience.

0
May 20 '13 at 3:55
source share

If you use a role, make sure it is spelled correctly:

If your role is called "Administrator", then this, for example, will not work:

  [System.Web.Http.Authorize(Roles = "Administator")]

Also it will not be:

  [System.Web.Http.Authorize(Roles = "Administrators")]

Oops ...

0
Nov 22 '15 at 23:22
source share


More articles:


All Articles