Authorize your Web API controllers in Sitecore style

webapifilters01
I would like to share with you guys how easy it is to limit access to your Web API actions or controllers. Recently when I was working with a SPEAK component I had to make a Web API controller that only allowed users with a certain role(The Admin user will always have access).

So as always I looked at how Sitecore did and I just loved it 🙂

They are using Authentication filters.

Authentication filters let you set an authentication scheme for individual controllers or actions. That way, your app can support different authentication mechanisms for different HTTP resources.

To apply an authentication filter to a controller, decorate the controller class with the filter attribute.

What we need is a filter to authenticate if user is part of a specific role.
I took a glance at on one of the filters Sitecore did, AuthorizedReportingUserFilter.

using Sitecore.Globalization;
using Sitecore.Xdb.Configuration;
using System.Net;
using System.Net.Http;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;

namespace Sitecore.Cintel.Endpoint.Plumbing
{
  public class AuthorizedReportingUserFilter : AuthorizationFilterAttribute
  {
    public override void OnAuthorization(HttpActionContext actionContext)
    {
      if ((Context.User.IsAdministrator || Context.User.IsInRole("sitecore\\analytics reporting")) && (XdbSettings.Enabled && Context.User.IsAuthenticated))
        return;
      string message = Translate.Text("Unauthorized Access");
      actionContext.Response = actionContext.ControllerContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized, message);
      base.OnAuthorization(actionContext);
    }
  }
}

As you guys can see, in OnAuthorization that is where all the magic happens. In this case a check is made if user is part of analytics reporting and is authenticated.

It’s almost what we need. So what to do? Let’s make our own filter, like this:

using System.Net;
using System.Net.Http;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;
using Sitecore;
using Sitecore.Globalization;

namespace Sandbox.Website.Code.HttpFilters
{
  public class AuthorizedCustomRoleFilter : AuthorizationFilterAttribute
  {
    private readonly string _role;

    public AuthorizedCustomRoleFilter (string role)
    {
        _role = role;
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    {
       if (Context.User.IsAdministrator || Context.User.IsInRole($"sitecore\\{_role}") && Context.User.IsAuthenticated)
       return;

       string message = Translate.Text("Unauthorized Access");
       actionContext.Response = actionContext.ControllerContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized, message);
       base.OnAuthorization(actionContext);
    }
  }
}

As you guys can see we have a parameter in the construct, that one allows us to add whatever role you want.

Here is an example where we use the new filter on a Web API controller.

namespace Sandbox.Website.Code.WebAPI.Controllers
{
  [AuthorizedCustomRoleFilter("Author")]
  public class MyController : ApiController
  {

So start doing a bunch of http filters for your web api controllers.

That’s all for now folks 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.