Authorization

Comment Posted by garrylindsay

Mon, 27 Feb 2012 14:35:33 GMT

Great starter vids.

Whats the best way if I have to write super custom join queries against SQL Azure for a Google like autocomplete that REST cannot handle? Do I just have a floating .svc file folder in the project for those special R queries of the CRUD?

Comment Posted by pbernhardt

Sun, 04 Mar 2012 11:21:05 GMT

Nice series of videos, Jon. But I'm looking to dig deeper into the authorization support, particularly how you would incorporate claims and, more generally, identity into a service built on top of Web API.

Comment Posted by bhofmann

Tue, 06 Mar 2012 16:04:02 GMT

One thing I don't get, is how you would or could authorise when your Web API is not part of a website. I assume the authorisation is based on the membership provider, which implies either a login form or possibly Windows Authentication if the site is running in Integrated authentication mode?

Comment Posted by jon galloway

Wed, 07 Mar 2012 18:25:47 GMT

@pbernhardt - That's a lot more involved, and I'm not sure if we've got a good sample of that yet. I'll check around. Two places to get started:

This TechDays video talks about securing Web API's on Azure, including ACS: www.microsoft.com/

Henrik's been blogging some more advanced scenarios:

blogs.msdn.com/

Comment Posted by jon galloway

Wed, 07 Mar 2012 18:30:50 GMT

@bhofmann You can subclass the Authorize attribute to run any authorization code you'd like in AuthorizeCore. There's a good blog post by David Hayden on how to do this with an MVC controller (and it's the same idea with Web API):

davidhayden.com/

Comment Posted by malkov

Wed, 14 Mar 2012 07:06:47 GMT

Your example doesn't work.

I've installed VS11 and created new MVC4 WebAPI application. Then I've added attribute [System.Web.Http.Authorize] to ValuesController, which was created by default.

Then I've added the link to home page: Get items and jquery for it, where i tried to react on status code 404.

But the site send back 302 instead of 401.

Any feedback about it?

Comment Posted by malkov

Wed, 14 Mar 2012 07:17:39 GMT

Sorry, of course I've tried to react on status code 401 not 404:

$.ajax({

url: "/api/values/",

accepts: "application/json",

cache: false,

statusCode: {

200: function (values) {

alert("OK");

401: function () {

alert("Not authorized");

}

Comment Posted by malkov

Wed, 14 Mar 2012 09:40:39 GMT

I've found a solution at:

netmvc.blogspot.com/

Comment Posted by gkgorman

Thu, 22 Mar 2012 11:12:49 GMT

Why have two Login methods on the account controller? Wouldn't it be better to have the API have an Account Controller with the JsonLogin and then have the MVC AccountController call the API Account Controller?

Comment Posted by icelava

Fri, 30 Mar 2012 06:58:53 GMT

There probably needs to be a deeper explanation of the authorization concepts and mechanism behind the [Authorize] attribute that make it work.

E.g. how roles/claims come into play to authorize different actions to different users.

Comment Posted by Jim S

Mon, 02 Apr 2012 15:18:16 GMT

I agree with other posters, an intriguing video, but I would like to know how it is "authorizing", and how you can control who is authorized (i.e. Forms auth. and roles).

Comment Posted by Prabakard

Tue, 10 Apr 2012 23:46:27 GMT

Do you have any info / article / video on Authentication.

In the end of Part 5 video you mentioned that you will explain Web Api Authentication and Authorization in Next part (Part 6) of video. But the Part 6 talks only about Authorization and that too not complete. It says client will differentiate based on the status code. But how does Server decides to return those status codes. When the Authorize fails and when it succeeds.. its obviously about authentication, about which there is no info.

Comment Posted by theshadow330

Mon, 21 May 2012 11:52:32 GMT

Jon, appreciate the video - but please can you guys do text blogs rather than video blogs. Videos are not indexed by search engines, are a mission to skim "view" and can't be easily watched in a work environment when researching on the fly.

thanks

Comment Posted by dmitri_vaganov

Tue, 14 Aug 2012 08:50:05 GMT

I have the following scenario. My customer calls my web api service in java using POST method passing me XML structure as an input parameter. See below:

1.1

false

http://XXXXXXXX/getCoupon.do

POST

BASIC

false

usernamepassword

TestRequestId1

625

My task is to authenticate their username and password against my database before returning anything back. I have tried to figure out how to read auth-username and auth-password parameters but I came up short. Please point me in the right direction.

Thanks