How to secure your Web API REST Controllers?

The first step in securing your REST controllers is to transfer the built-in ASP.NET Membership Tables to your own database (see my previous blog).

Once the ASP.NET Membership Tables are transferred, you can tie it up to your own security tables.  See the image below, when I tie up my security table (MstUser) to the ASP.NET Membership Tables.

b1

Now that the ASP.NET Membership Tables are tied up to my security table (MstUser) I can now create a Security Class Wrapper that will be used to secure my controllers.  I named my Security Class Wrapper SysSecurity.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;

namespace wfmis.Controllers
{
    public class SysSecurity
    {
        private Data.wfmisDataContext data = new Data.wfmisDataContext();

        public long GetCurrentUser()
        {
            string UserName =  Membership.GetUser().UserName;
            string UserId = "";

            var Users = from u in data.Users where u.UserName == UserName select u;

            if (Users != null)
            {
                UserId = Users.FirstOrDefault().UserId.ToString();

                var MstUser = data.MstUsers.FirstOrDefault(u => u.Membership.UserId.ToString().Equals(UserId));
                if (MstUser != null)
                {
                    return MstUser.Id;
                } else {
                    return 0;
                }
            }
            else
            {
                return 0;
            }
        }
    }
}

I believe the code above is self explanatory.  First it gets the session membership user and then, using LINQ, it locates its corresponding Id in the security table (MstUser).

Thats it!  Now you can use it to your controllers.  Below is the sample code that uses the Security Class Wrapper.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;

namespace wfmis.Controllers
{
    public class MstAccountController : ApiController
    {
        private Data.wfmisDataContext data = new Data.wfmisDataContext();
        private SysSecurity secure = new SysSecurity();

        // GET api/MstAcccount
        public List<Models.MstAccount> Get()
        {
            var Accounts = from d in data.MstAccounts
                           where d.MstUser.Id == secure.GetCurrentUser()
                           select new Models.MstAccount
                            {
                                Id = d.Id,
                                AccountCode = d.AccountCode,
                                Account = d.Account,
                                AccountType = d.MstAccountType.AccountType
                            };

            return Accounts.ToList();
        }

        // GET api/MstAccount/5
        public Models.MstAccount Get(int id)
        {
            var Accounts = (from a in data.MstAccounts
                            where a.Id == id && a.MstUser.Id == secure.GetCurrentUser()
                            select new Models.MstAccount
                            {
                                Id = a.Id,
                                AccountCode = a.AccountCode,
                                Account = a.Account,
                                AccountType = a.MstAccountType.AccountType
                            });

            if (Accounts == null)
            {
                throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.NotFound));
            }

            return Accounts.First();
        }
    }
}

Take note of the object secure that is privately declared, it is the Security Class Wrapper, and it is used to filter the where clause of the LINQ query.

Of course later on you can modify the Security Class Wrapper to processed user rights.  Happy coding!

If you find this blog helpful, you can make the donation by clicking the Paypal button below.

Advertisements
About

Software developer living in the Philippines.

Posted in ASP.NET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Author

Harold Glenn P. Minerva
Software Developer / Tech Enthusiast
Living in the Philippines

View Harold Glenn Minerva's profile on LinkedIn

Instagram

Software Engineer - Seasonal and Range Trading Software. Magenta Trader is a powerful stock market visualization software that increases your probability of trading success.

Software Architect and Founder - Easyfis.com is a multi-tenant cloud-based Software-as-a-Service (SaaS) business app that caters to micro, small and medium trading businesses.

CTO and Co-Founder - We give your company the leverage by providing innovative software solutions products such as Point-of-Sales (POS), Financial Information System (FMIS), Payroll and DTR (HRIS), and many more.

%d bloggers like this: