I am looking for a good approach for implementing intranet Web Application using Web Api(2) with Asp.net MVC(5). Application is designed in such a way that we use AngularJS SPA at client side and in server side MVC with Web Api as a single application/web site. MVC is because we have to restrict the operations based on the security permissions. We don't render the action buttons(eg. Save, Delete etc) when we call MVC controller for views if the user does not have permission. Other operations are utilizing Web API methods to Save, Delete etc,
Basic idea is
MVC Controllers are for generating views with action buttons removed if the user doesn't have permission(html templates for AngularJS). Data Manipulation is through Web API(AngularJS $http service web api calls)
Questions here How do we derive an authentication mechanism which we can utilize for both MVC and Web API? (We can create Authentication filters but we have to create separate filters for MVC and Web API, right?)
Once the user is authenticated how do we share this info with both MVC Controller and Web Api controller instead of validating the user each request from angular js?
How do we store user permission in session that can be accessible from both MVC and Web API(I don't want to send these information to client in anyways)
AuthorizeAttribute)? – Brad Christie May 21 at 18:36