Tuesday, August 27, 2019

ASP.NET Web API Action Filter


Web API Action Filter is used to add extra logic before or after action method execute, it could be used for authentication, authorization and logging.

Web API Action filter is used as attribute which can be used for action method, Web API controller or for whole application.

WEB API Action Filter


For more information about The Lifecycle of an ASP.NET Web API


ASP.NET Framework provides the ActionFilterAttribute abstract class to implement own custom action filter.

ActionFilterAttribute abstract class has the following methods, which you can override

  1. OnActionExecuting – This method is called before a controller action is executed.
  2. OnActionExecuted – This method is called after a controller action is executed.

Both methods have HTTPActionContext object reference and with help of httpActionContext object we can easily get the current HTTP request object and be able to read http request information like header, request URL, data and requested user information.

Here is an example to create a custom action filter to allow only specific role to access action method.

public class RestrictedAction : ActionFilterAttribute

    {
public override void OnActionExecuting(HttpActionContext actionContext)
        {
            var isAuthorized = false;
            IEnumerable<string> values;
            var areHeadersPresent = actionContext.Request.Headers.TryGetValues("X_API_Token", out values);

            ClientData client;

            if (areHeadersPresent)
            {
                client = ClientHelper.GetClient(values.FirstOrDefault());

                if(client.Role == "Admin")
                {
                    isAuthorized = true;
                }
            }

            if (!isAuthorized)
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden, "Unauthorized Access");
            }

            base.OnActionExecuting(actionContext);
   }
   }
  

In Action Filter, we are reading API Token from HTTP request’s header and if specific header presents, then it calls the GetClient method of ClientHelper class to get client information based on passed token.

If the role of current client is not admin, we will reject request and throw Forbidden HTTP Response

Action Filter used for specific Action Method:

If we want to put restriction on specific method, simply apply RestrictedAction attribute to method.

Only Admin Role use can able to Call the SaveOrder action to create a new order, for other roles, API will rejects request.

public class OrderController : ApiController
    {
        IOrderEngine _orderEngine;
        public OrderController(IOrderEngine orderEngine)
        {  _orderEngine = orderEngine; }

        [HttpGet]
        [Route("api/Order")]
        [ResponseType(typeof(Order))]
        public IHttpActionResult GetOrder(int orderNumber)
        {
            Order order = _orderEngine.GetOrderByNumber(orderNumber);
            if(order == null)
            {
                return NotFound();
            }
            return Ok(order);
        }

   [HttpPost]
   [Route("api/Order")]
   [ResponseType(typeof(Order))]
        [RestrictedAction]
        public IHttpActionResult SaveOrder(Order order)
        {
            Order order = _orderEngine.SaveOrder(order);
            if (order == null)
            {
                return BadRequest("Not able to Create an Order");
            }
            return Ok(order);
    }
    }

Action Filter used for all methods of Web API Controller:

If we want to put restriction on specific web API controller, simply apply attribute to web api controller class

Only Admin Role use can able to call any action method of this OrderController API, for other roles, API will rejects request.


       [RestrictedAction]
public class OrderController : ApiController
    {
        IOrderEngine _orderEngine;
        public OrderController(IOrderEngine orderEngine)
        {  _orderEngine = orderEngine; }

        [HttpGet]
        [Route("api/Order")]
        [ResponseType(typeof(Order))]
        public IHttpActionResult GetOrder(int orderNumber)
        {
            Order order = _orderEngine.GetOrderByNumber(orderNumber);
            if(order == null)
            {
                return NotFound();
            }
            return Ok(order);
        }
    }


Action Filter used for all Web API Controllers:

If we want to put restriction on all web API controllers in your application, simply add below setting in web api config file

Only Admin Role use can able to call any API’s method of this web api application, for other roles, API will rejects request.

public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            // Web API configuration and services
            config.Filters.Add(new RestrictedAction());           
          
            // Web API routes
            config.MapHttpAttributeRoutes();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }
    }

By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
  • ASP.NET Page Life Cycle
    This blog demonstrates  ASP.NET Page Life cycle  and a series of processing steps and when an ASP.NET page runs, the page goes through a...

SQL Server - Identify unused indexes

 In this blog, we learn about the index usage information (SYS.DM_DB_INDEX_USAGE_STATS) and analyze the index usage data (USER_SEEKS, USER_S...