All geek questions in one place

Web Api Routing Issues

I have a standalone web API project, so I had to use the Yao blog post to make a help page. Then I had to protect some of my methods from unauthorized use. I implemented this idea .

Now the fun part. I have 3 routes:

/help , which leads to the help page,

/authentication/authenticate used to invoke the authentication method and it expects user credentials and returns a security token if successful

and /transaction/{action}/{id} this route should be protected from unauthorized use.

Basically, I need to do all the routes where controller = transaction is handled by the TokenInspector .

1. Scenario: if I have such a routing configuration:

 _config.Routes.MapHttpRoute( name: "AuthenticatedOnly", routeTemplate: "transaction/{action}/{id}", defaults: new {controller = "Transaction", action="GetNewTaskId", id=RouteParameter.Optional}, constraints: null, handler: tokenInspector ); _config.Routes.MapHttpRoute( "Default", "{controller}/{action}/{id}", defaults: new { controller="Help", action="Index", id = RouteParameter.Optional} );

Everything works fine except for the help page only the POST Authentication/Authenticate entry

2. Scenario: if I change the routing configuration to:

 _config.Routes.MapHttpRoute( name: "AuthenticatedOnly", routeTemplate: "transaction/{action}/{id}", defaults: new {}, constraints: null, handler: tokenInspector ); _config.Routes.MapHttpRoute( "Default", "{controller}/{action}/{id}", defaults: new { controller="Help", action="Index", id = RouteParameter.Optional} );

The help page works fine and shows all the methods, but /transaction no longer protected and works without a token.

3. Scenario:

 _config.Routes.MapHttpRoute( name: "AuthenticatedOnly", routeTemplate: "transaction/{action}/{id}", defaults: new {id=RouteParameter.Optional}, constraints: null, handler: tokenInspector ); _config.Routes.MapHttpRoute( "Default", "{controller}/{action}/{id}", defaults: new { controller="Help", action="Index", id = RouteParameter.Optional} );

It works with both authentication and the man page, but when I make a request like /Transaction/GetNewTaskId with a valid token in the header, I get 404.

Update Can anyone explain how the creation of the help page depends on the registered routes? Is there a way to configure it and force ApiExplorer to print the contents of the controller?

Update 2 After several attempts and investigations, I found a solution that fits my goal - to keep the documentation, as well as the security template. I implemented a special message handler (basically, I used my TokenInspector, but added a logical URL filter for it).

So now I have one route:

 _config.Routes.MapHttpRoute( name: "Default", routeTemplate: "{controller}/{action}/{id}", defaults: new { controller = "Help", action = "Index", id=RouteParameter.Optional } );

and this is how I start the server:

 _config = new ExtendedHttpSelfHostConfiguration(ServiceAddress); TokenInspector tokenInspector = new TokenInspector() { InnerHandler = new HttpRoutingDispatcher(_config) }; _server = new HttpSelfHostServer(_config, tokenInspector); ConfigureHost(_config); _server.OpenAsync();

Perhaps the question is as it is, such an answer cannot be answered, but in any case, thank you all for your efforts!

Regards, insomnium _

+4
source share
2 answers
 //This is for your public controllers //this route will ONLY catch requests for Help and Authentication controllers only //you will need to include any new public controller that uses the route pattern _config.Routes.MapHttpRoute( name: "Public", routeTemplate: "{controller}/{action}/{id}", constraints: new { controller = @"^(Help|Authentication)$" }, defaults: new { controller="Help", action="Index", id = RouteParameter.Optional} ); //Everything that is not Help or Authentication will use this route, which will check for the valid token you mention //This route is defaulting to /Transaction/GetNewTaskId _config.Routes.MapHttpRoute( name: "AuthenticatedOnly", routeTemplate: "{controller}/{action}/{id}", defaults: new { controller = "Transaction", action="GetNewTaskId", id=RouteParameter.Optional}, handler: tokenInspector );
+1
source

Use this approach for more flexible method access control.

 config.Routes.MapHttpRoute( name: "PublicMethods", routeTemplate: "api/{controller}/{action}", constraints: new {action = @"^(public)-(.)*$"}, defaults: new {controller = "Account"} ); config.Routes.MapHttpRoute( name: "PublicControllers", routeTemplate: "api/{controller}/{action}", constraints: new {controller = @"^(Environment|Account)$"}, defaults: new {controller = "Account"} ); config.Routes.MapHttpRoute( name: "AuthorizedUsersOnly", routeTemplate: "api/{controller}/{action}/{id}", defaults: new { id = RouteParameter.Optional }, constraints: null, handler: tokenInspector );

So, I have little open for each user controller, and if necessary, I make some methods available to authorized users by adding the public prefix for the action name

0
source

Source: https://habr.com/ru/post/1499148/

More articles:


All Articles