Securing Web API in .Net

Question

0.00/5 (No votes)

See more:

I'm implementing a Web API where I have different roles available. I have the below scenario which needs to be secured,

For example I have a method which says GetEmployeesDetails(ids), where I fetch the details of all the employees who are under the user who is accessing the method (logged in user) by the ids, I validate the user accessing the method Authorise Attribute. Now say suppose I have another valid user who has some other employees under him, but he hacks the system and provide some different ids as input to the method, the method will respond with the data. I want to validate that the input provided cannot be tampered or somehow validate whether the ids are under the user currently accessing the method. Has anyone come across such a scenario ? Any help in this regard will be appreciated.

Thanks

What I have tried:

I have validated the user accessing the method with whether he is authorised to access the data for the ids provided in input, but this adds to overhead to the workflow, is there any global concept which I can implement to handle such scenarios. This API will be public hence security is the major concern

Posted 4-Feb-16 6:56am

sagar wasule

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

debashishPaul · Answer 1 · 2016-02-04T10:42:00

Solution 1

There are a few ways to get there. The easy two are:

1. In the business layer, before returning data, check if the ids provided by the current user is valid or not.

2. Customize the Authorize filter.
Writing your own custom ASP.Net MVC [Authorize] attributes - Diary Of A Ninja[^]

You can also pass parameters to your custom attribute. This will enable you to conditionally execute logic blocks if needed.
c# - How to add 'pass parameter' to custom AuthorizeAttribute - Stack Overflow[^]

Posted 4-Feb-16 10:42am

debashishPaul

Updated 5-Feb-16 15:45pm

v3

Comments

sagar wasule 5-Feb-16 6:20am

Thanks debashishPaul for your response, I can check for the ids provided by the current user is valid or not or if the current user can access the resource he has asked for or else throw and unauthorized exception, but this scenario will be needed to check for each and every method in the web api. Is there any other way around where I can handle such scenarios globally ?

debashishPaul 5-Feb-16 21:36pm

yes... put that piece of logic in your custom Authorize attribute.
http://www.diaryofaninja.com/blog/2011/07/24/writing-your-own-custom-aspnet-mvc-authorize-attributes

You can also pass parameters to your custom attribute. This will enable you to conditionally execute logic blocks if needed.
http://stackoverflow.com/questions/15042821/how-to-add-pass-parameter-to-custom-authorizeattribute