9

I was wandering if there is a way to enable Windows authentication only for the particular action of the particular ASP.Net Web API controller. My Web API web service has a couple of controllers with numerous actions, but only one action of one controller needs Windows authentication. This web services is implemented using Web API 2.1, and is hosted in IIS (v7.5 and above). Even though, it’s an intranet web service I don’t want to enable windows authentication on controllers and actions that don’t need it. Please let me know if there is a way to enable Windows authentication for a specific controller and action.

My web service code is similar to the code below. Only endpoint api/controller1/action1 implemented by Controller1.Action1 requires windows authentication. The rest of actions don't need Windows authentication:

[RoutePrefix("api/controller1")]
public class Controller1: ApiController
{
    [Route("action1")]
    public HttpResponseMessage Action1()
    {
        return Request.CreateResponse<object>(HttpStatusCode.OK, null);
    }
    [Route("action2")]
    public HttpResponseMessage Action2()
    {
        return Request.CreateResponse<object>(HttpStatusCode.OK, null);
    }
}


[RoutePrefix("api/controller2")]
public class Controller2 : ApiController
{
    [Route("action1")]
    public HttpResponseMessage Action1()
    {
        return Request.CreateResponse<object>(HttpStatusCode.OK, null);
    }
    [Route("action2")]
    public HttpResponseMessage Action2()
    {
        return Request.CreateResponse<object>(HttpStatusCode.OK, null);
    }
}

Thank you, Rita

Improve this question
2
  • I have the same requirement. Did you figure out how to do this? Commented Apr 11, 2017 at 18:39
  • 2
    I went with a deployment time solution instead. I used appcmd.exe tool to enable Windows authentication for a route: C:\Windows\system32\inetsrv\appcmd.exe set config "baseUrl/api/controller1/action1" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost Commented Apr 12, 2017 at 20:23

2 Answers 2

Reset to default
3

is this what your want? adding this to your config file.

<location path="api/controller1">
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</location>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I had the same problem. The solution was

  1. Enable Windows Authentication in IIS Website, where your API is hosted. If you are using OWIN to self host, see this SO discussion

  2. Then in your controller or controller action, which requires Windows Authentication, just add an "Authorize" attribute.

    [Authorize] public async Task GetDocumentContent([FromUri]DocumentContentRequest request) {

    }

That is it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.