Access a message or retrieve parameters in MVC4 Web Api user authorization

Question

Access a message or retrieve parameters in MVC4 Web Api user authorization

Is it possible to access the message or get parameters through the HttpActionContext object?

I have a set of sensors that log data on a web server that provides a REST api. I would like to introduce some authentication / authorization, allowing the sensors to include their equipment identifier in the data, and then search the database to see if the identifier exists. Since the API provides many api action methods for web applications, I would ideally like to use a special authorization attribute

public class ApiAuthorizationFilter : AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { return false; } }

How can I access the message / get data from actionContext?

EDIT: POST Example

 POST /Api/api/ActionMethod/ HTTP/1.1\r\n Content-Type: application/json\r\n Host: localhost\r\n Accept: */*\r\n Content-Length:52\r\n \r\n {"Id": '121a222bc', "Time": '2012-02-02 12:00:00'}\r\n

Have a nice day!

+44

.net authorization asp.net-web-api asp.net-mvc-4

olif Oct 10 '12 at 10:27

source share

5 answers

I turned to contextual route data to get the parameters from the user attribute AuthorizeAttribute when you call something like /api/client/123/users :

 public class CustomAuthorizeAttribute : AuthorizeAttribute { protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext) { var clientId = Convert.ToInt32(actionContext.ControllerContext.RouteData.Values["clientid"]); // Check if user can access the client account. } }

+17

simbolo Jun 05 '13 at 13:35

source share

You can get the query string values from your custom authorization attribute using the following code:

 public class ApiAuthorizationFilter : AuthorizeAttribute { protected override void OnAuthorization(AuthorizationContext filterContext) { var querystring = filterContext.RequestContext.HttpContext.Request.QueryString; // Do what you need } }

+1

jmberon Nov 12 '14 at 4:29

source share

Although this question has already been answered. But if someone needs it, you can get requests from

 HttpActionContext actionContext

in the following way:

 var queryParameters = actionContext.Request.GetQueryNameValuePairs().ToDictionary(x => x.Key, x => x.Value); var some_value = queryParameters.ContainsKey("some_key") ? queryParameters["some_key"] : string.Empty;

0

vohrahul 04 Oct '15 at 17:17

source share

You can get this information from actionContext.Request This is a way to get request data.

Published data is in actionContext.Request.Content Or, if it's a GET request, you can get a request from actionContext.Request.RequestUri

-2

David Oct 10

source share

Mark Jones · Accepted Answer · 2012-10-10 21:10

By its very nature, an AuthoriseAttribute looks like it is called in the pipeline before the model bindings and parameter bindings are started. You also encounter problems accessing and reading Request.Content ... it can only be done once , and if you are going to try it in your auth attribute, you can break mediaTypeFormater ...

in WebAPI, the request body (HttpContent) can be a stream without restrictions, read-only, without buffering.

Update There are different ways to specify the execution context ... http://msdn.microsoft.com/en-us/library/system.web.http.filters.filterscope(v=vs.108).aspx . The authorized attribute is Global, so it’s too early for it to access action information.

Given that you want to access the model and parameters, you can slightly change your approach and use the OnActionExecuting filter (“Action” scope) and throw 401 or 403 based on your check.

This filter is called later at runtime, and therefore you have full access to the associated data.

A very simple example below:

 public class ApiAuthorizationFilter : ActionFilterAttribute { public override void OnActionExecuting(HttpActionContext actionContext) { Foo model = (Foo)actionContext.ActionArguments["model"]; string param1 = (string)actionContext.ActionArguments["param1"]; int param2 = (int)actionContext.ActionArguments["param2"]; if (model.Id != "1") throw new HttpResponseException(System.Net.HttpStatusCode.Forbidden); base.OnActionExecuting(actionContext); } }

Controller example:

 public class Foo { public string Id { get; set; } public DateTime Time { get; set; } } public class FoosController : ApiController { // PUT api/foos/5 [ApiAuthorizationFilter] public Foo Put(int id, Foo model, [FromUri]string param1 = null, int? param2 = null) { return model; } }

What the other answers said ... they are right if you can access everything you need at the URL, get information through a request; however, I think the model and content of the request should be left alone:

 var queryStringCollection = HttpUtility.ParseQueryString(actionContext.Request.RequestUri.Query); //example for param1 string param1 = queryStringCollection["param1"]; //example for param2 int param2 = int.Parse(queryStringCollection["param2"]); //Example of getting the ID from the URL var id = actionContext.Request.RequestUri.Segments.LastOrDefault();

Access a message or retrieve parameters in MVC4 Web Api user authorization

More articles: