0

On an existing host I've added Web API Models & Controllers. I've added the following four:

  • Products
  • Orders
  • Categories
  • Users

When someone accesses the localhost:port\api\products, it returns all the products in JSON format.

The Create, Update and Delete statements are completely disabled, so we are only able to use GET-requests on the API (so either \api\products for a list of all products or api\products\# for a single products with id #).

Because the other CRUD's aren't used, there isn't a lot of security that should be added to the Web API, except for one thing: The Users

These will also return emails and such, which would be better to keep private and unreadable without the proper authorization (without entire log-in pages, but a way to authenticate yourself when accessing the Web API in for example Android HttpGetRequests).

So, the question: How should I add authorization for only the UsersController accessed by the Web API.

And, how can I encrypt the JSON in C# and decrypt it in Android again. If this second part is too big to answer I'll make a new question later on, my main focus is the low-end [<- without log-in pages, so built in into the GET-request] authorization of the Web API's GET-request for Users.

Edit 1: I did found this link where a new project is made with Authorization Changed to Individual Users. I also see that the user is registered and then logged in with POST and GET requests.

The following questions came into mind when reading through this link:

  • How to change the Web API's Authorization to Individual Users on an existing project?
  • Our authorization is done through OAuth (mainly Google-account) with our work e-mail address. I guess it's not possible / easy to authorize in the same way as in the link with a Google-account on Web API GET-requests.

Edit 2: After using the first link provided by Vladimir Gondarev I've added the [Authorize] to both the Get methods in the UsersController. In my project everything else was already used before, like a class that uses the AuthorizeAttribute, so just adding the [Authorize] was already enough for the first step. Now in the browser I get an unauthorized (JSON) back when I'm not logged in, which is good.

The next step would be to add the OAuth-authorization to the Android app, but that is an entire new problem / question that I will look into first before asking a new stackoverflow-question.

Improve this question

1 Answer 1

Reset to default
1

The simplest solution would be "Basic Authentification". In order to to implement it you have to derive from AuthorizeAttribute and then apply it to a method or a controller. Here you find further info:

What is basic Authentification:

http://www.asp.net/web-api/overview/security/basic-authentication

Implementation:

ASP.net Web API RESTful web service + Basic authentication

You don't have to encrypt anything as long as you use HTTPS transport.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the first link, after I added [Authorize] to the Get-methods of the UsersController it's already enough, since everything else was already present in the project. And since I already added OAuth-authorization to the Android app, I can now focus on the Android app and commit the Web API changes to the online host.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.