up vote 0 down vote favorite
2

I am looking for a good approach for implementing intranet Web Application using Web Api(2) with Asp.net MVC(5). Application is designed in such a way that we use AngularJS SPA at client side and in server side MVC with Web Api as a single application/web site. MVC is because we have to restrict the operations based on the security permissions. We don't render the action buttons(eg. Save, Delete etc) when we call MVC controller for views if the user does not have permission. Other operations are utilizing Web API methods to Save, Delete etc,

Basic idea is

MVC Controllers are for generating views with action buttons removed if the user doesn't have permission(html templates for AngularJS). Data Manipulation is through Web API(AngularJS $http service web api calls)

Questions here

How do we derive an authentication mechanism which we can utilize for both MVC and Web API? (We can create Authentication filters but we have to create separate filters for MVC and Web API, right?)

Once the user is authenticated how do we share this info with both MVC Controller and Web Api controller instead of validating the user each request from angular js?

Is it possible to use ASP.Net forms authentication for both MVC and WebApi for authentication?. If so how do we do that?. Will forms authetication token validates for both MVC controller and Web Api controllers automatically using [authorize] attribute?

Also I would like to know, is it a good approach mixing MVC with WebApi with in a single application?

share|improve this question
    
So you don't want to use the built-in authentication (e.g. Identity with Accounts/Roles then use AuthorizeAttribute)? – Brad Christie May 21 '14 at 18:36
    
Yes we can but we need to handle it separately for MVC and Web API, right? – Biju Thomas May 21 '14 at 18:39
    
Is your Web API in a separate server / project than the MVC website? – Simon Belanger May 21 '14 at 18:41
    
Web API and MVC are in single application – Biju Thomas May 21 '14 at 18:42
3  
If they are in the same application, they already share the same context (Http/Owin) and can be authenticated the same way. The authorization filter are in different namespaces for Mvc/WebApi but they work the same. In any case, you could create your own authorization filter and implement the interfaces for both MVC and WebApi (IAuthorizationFilter in System.Web.Mvc and System.Web.Http.Filters) to centralize your custom logic. – Simon Belanger May 21 '14 at 18:46
up vote 1 down vote

Its a feasible option but not a recommended option.

Since WebApi operation will be inheriting from ApiController

and MVC controller action will be inheriting from Controller Class.

If you want to define route for api and mvc controller then you need to register the route like this in Global.ascx in

Application start

GlobalConfiguration.Configure(WebApiConfig.Register);
RouteConfig.RegisterRoutes(RouteTable.Routes);

RouteConfig Class

    public static class RouteConfig
        {
            public static void RegisterRoutes(RouteCollection routes)
            {   

    .....
    ....
routes.MapRoute(
                name: "Default",
                url: "{controller}/{action}/{id}",
                defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
            );
    }
    }

WebApiConfig Class

public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            // TODO: Add any additional configuration code.

            // Web API routes
            config.MapHttpAttributeRoutes();
            config.Formatters.XmlFormatter.UseXmlSerializer = true;

            config.MessageHandlers.Add(new YourMessageHandlers());

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{action}/{id}",
                defaults: new {  id = RouteParameter.Optional }
            );
        }
    }
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.