How to secure your Web API REST Controllers?

The first step in securing your REST controllers is to transfer the built-in ASP.NET Membership Tables to your own database (see my previous blog).

Once the ASP.NET Membership Tables are transferred, you can tie it up to your own security tables.  See the image below, when I tie up my security table (MstUser) to the ASP.NET Membership Tables.

b1

Now that the ASP.NET Membership Tables are tied up to my security table (MstUser) I can now create a Security Class Wrapper that will be used to secure my controllers.  I named my Security Class Wrapper SysSecurity.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;

namespace wfmis.Controllers
{
    public class SysSecurity
    {
        private Data.wfmisDataContext data = new Data.wfmisDataContext();

        public long GetCurrentUser()
        {
            string UserName =  Membership.GetUser().UserName;
            string UserId = "";

            var Users = from u in data.Users where u.UserName == UserName select u;

            if (Users != null)
            {
                UserId = Users.FirstOrDefault().UserId.ToString();

                var MstUser = data.MstUsers.FirstOrDefault(u => u.Membership.UserId.ToString().Equals(UserId));
                if (MstUser != null)
                {
                    return MstUser.Id;
                } else {
                    return 0;
                }
            }
            else
            {
                return 0;
            }
        }
    }
}

I believe the code above is self explanatory.  First it gets the session membership user and then, using LINQ, it locates its corresponding Id in the security table (MstUser).

Thats it!  Now you can use it to your controllers.  Below is the sample code that uses the Security Class Wrapper.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;

namespace wfmis.Controllers
{
    public class MstAccountController : ApiController
    {
        private Data.wfmisDataContext data = new Data.wfmisDataContext();
        private SysSecurity secure = new SysSecurity();

        // GET api/MstAcccount
        public List<Models.MstAccount> Get()
        {
            var Accounts = from d in data.MstAccounts
                           where d.MstUser.Id == secure.GetCurrentUser()
                           select new Models.MstAccount
                            {
                                Id = d.Id,
                                AccountCode = d.AccountCode,
                                Account = d.Account,
                                AccountType = d.MstAccountType.AccountType
                            };

            return Accounts.ToList();
        }

        // GET api/MstAccount/5
        public Models.MstAccount Get(int id)
        {
            var Accounts = (from a in data.MstAccounts
                            where a.Id == id && a.MstUser.Id == secure.GetCurrentUser()
                            select new Models.MstAccount
                            {
                                Id = a.Id,
                                AccountCode = a.AccountCode,
                                Account = a.Account,
                                AccountType = a.MstAccountType.AccountType
                            });

            if (Accounts == null)
            {
                throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.NotFound));
            }

            return Accounts.First();
        }
    }
}

Take note of the object secure that is privately declared, it is the Security Class Wrapper, and it is used to filter the where clause of the LINQ query.

Of course later on you can modify the Security Class Wrapper to processed user rights.  Happy coding!

If you find this blog helpful, you can make the donation by clicking the Paypal button below.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s