C# Web API - Security for some of the GET requests

StackOverflow https://stackoverflow.com/questions/23389054

Question

On an existing host I've added Web API Models & Controllers. I've added the following four:

  • Products
  • Orders
  • Categories
  • Users

When someone accesses the localhost:port\api\products, it returns all the products in JSON format.

The Create, Update and Delete statements are completely disabled, so we are only able to use GET-requests on the API (so either \api\products for a list of all products or api\products\# for a single products with id #).

Because the other CRUD's aren't used, there isn't a lot of security that should be added to the Web API, except for one thing: The Users

These will also return emails and such, which would be better to keep private and unreadable without the proper authorization (without entire log-in pages, but a way to authenticate yourself when accessing the Web API in for example Android HttpGetRequests).

So, the question: How should I add authorization for only the UsersController accessed by the Web API.

And, how can I encrypt the JSON in C# and decrypt it in Android again. If this second part is too big to answer I'll make a new question later on, my main focus is the low-end [<- without log-in pages, so built in into the GET-request] authorization of the Web API's GET-request for Users.

Edit 1: I did found this link where a new project is made with Authorization Changed to Individual Users. I also see that the user is registered and then logged in with POST and GET requests.

The following questions came into mind when reading through this link:

  • How to change the Web API's Authorization to Individual Users on an existing project?
  • Our authorization is done through OAuth (mainly Google-account) with our work e-mail address. I guess it's not possible / easy to authorize in the same way as in the link with a Google-account on Web API GET-requests.

Edit 2: After using the first link provided by Vladimir Gondarev I've added the [Authorize] to both the Get methods in the UsersController. In my project everything else was already used before, like a class that uses the AuthorizeAttribute, so just adding the [Authorize] was already enough for the first step. Now in the browser I get an unauthorized (JSON) back when I'm not logged in, which is good.

The next step would be to add the OAuth-authorization to the Android app, but that is an entire new problem / question that I will look into first before asking a new stackoverflow-question.

Was it helpful?

Solution

The simplest solution would be "Basic Authentification". In order to to implement it you have to derive from AuthorizeAttribute and then apply it to a method or a controller. Here you find further info:

What is basic Authentification:

http://www.asp.net/web-api/overview/security/basic-authentication

Implementation:

ASP.net Web API RESTful web service + Basic authentication

You don't have to encrypt anything as long as you use HTTPS transport.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top