Authentication for webapi

Earlier we have seen how to Create WEBAPI for GET POST PUT methods, as a part of security we can use userid & Password authentication for the service. Each time while the request has been received credentials in the headers are validated before giving response.

  1.   Create new Controller

Create get method to return some data from table.
Controller code with entity framework:

              using System.Threading;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using WEBAPIAUTHORIZATION.Models;

namespace WEBAPIAUTHORIZATION.Controllers
{
    public class EmployeeController : ApiController
    {
        public HttpResponseMessage Get() //GET
        {
            string username = Thread.CurrentPrincipal.Identity.Name;
            using (ACT2_MINIQEntities entities = new ACT2_MINIQEntities())
            {
                var employeelist = entities.EmployeeDetails.ToList();
                return Request.CreateResponse(HttpStatusCode.OK, employeelist);
            }
        }
    }
}


2.   Create new class at the root folder of the webapi project.

In my case creating class with Security.cs


                  using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using WEBAPIAUTHORIZATION.Models;

namespace WEBAPIAUTHORIZATION
{
    public class Security
    {
        public static bool Login(string Username, string Password)
        {
            //Database connection to retrive daata
            using (ACT2_MINIQEntities entities = new ACT2_MINIQEntities())
            {
                //returns bool
                return entities.users.Any(
                        x => x.username.Equals(
                            Username, StringComparison.OrdinalIgnoreCase)
                            && x.passcode == Password);
            }
        }
    }
}


1.   Create Another new class at the root folder of webapi project.

In my case I have named as Authentication.cs


using System;
using System.Linq;
using System.Web.Http.Filters;
using System.Threading;
using System.Net.Http;
using System.Net;
using System.Text;
using System.Security.Principal;
using System.Web.Http.Controllers;

namespace WEBAPIAUTHORIZATION
{
    public class Authentication : AuthorizationFilterAttribute
    {
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            if (actionContext.Request.Headers.Authorization == null)
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
            }
            else
            {
                string authenToken = actionContext.Request.Headers.Authorization.Parameter;
                string decodedToken = Encoding.UTF8.GetString(Convert.FromBase64String(authenToken));
                string[] credentials = decodedToken.Split(':');

                string userName = credentials[0];
                string password = credentials[1];

                if (Security.Login(userName, password))
                {
                    Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(userName), null);
                }
                else
                {
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
                }
            }
        }
    }
}


4.       Changes in WebApiConfig.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Web.Http;
using Microsoft.Owin.Security.OAuth;
using Newtonsoft.Json.Serialization;

namespace WEBAPIAUTHORIZATION
{
    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            config.MapHttpAttributeRoutes();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

            //to authenticate globally
            config.Filters.Add(new Authentication());
        }
    }
}


To test output, we should send the credentials in request headers

Credentials should be in format of   username:Password

Credentials should be encoded to base64 format. As shown below.