Securing the ASP.NET Web API

This blog post is about how to secure the ASP.NET Web API when implemented together with EPiServer CMS.


In my blog post Creating a REST data store in EPiServer 7 Preview I stated that the implementation of the REST data store in EPiServer 7 Preview  closely resembles the ASP.NET Web API. Just as the REST data store the ASP.NET Web API can be used for both integration with UI components in EPiServer CMS as well as integration with third-party applications.

The REST data store is implemented as an EPiServer module. These modules can either be public or protected should they be available for third-party applications or serve as protected UI components only. When using the ASP.NET Web API we also want to be able to secure resources for internal use.

See Frederik Vig’s blog post Using the ASP.NET Web API framework with EPiServer to get started.

MVC security

The recommendation for MVC is that you shouldn’t secure your site using web.config as we do for web forms. Instead the controller itself defines itself as a protected resource or not. See the post Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute by Rick Anderson that goes more in-depth into the topic.

To secure our controller with the ASP.NET Web API we decorate our class with the Authorize-attribute. The default implementation of Authorize simply checks if the user is authenticated. See source below.

The authorize attribute, however, does not specify how the user should be authorized. This is specified by the authentication-element in web.config. Please note that by default the implementation checks if the user is authorized, not authenticated as a specific user or in a role.

You can inherit from the authorize attribute and implement your own implementation by overriding the AuthorizeCore-method.

Implementing a secure controller

See sample code for our secure ASP.NET Web API controller below.

To specify explicit access for a user or group you can add Users and/or Roles as named parameters to the authorize attribute. See sample code below.

Please note that the ASP.NET Web API controller is implemented according to convention by adhering to the HTTP verbs Get, Put, Post and Update. This means that you by convention need to either create a method that directly applies to the HTTP verb or is prefixed with the HTTP verb. The alternative is to decorate your method with an attribute corresponding to the HTTP verb.

When trying to access the resource “/api/deathstar/superlaser” we now receive a 401 (unauthorized).


Our resource is now protected from public access and the user must first be authenticated as specified by web.config before being granted access.

Thanks for reading!

Recent Posts
  • Fred .

    How to add users to a role?
    UserManager have a AddToRole function.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search