2

I am using web api 2.0 and c# in the server side of my application.

I want to create a custom filter (autorization filter i guess) to only authorize post/put requests that are coming from allowed referrers (that i define) and block all other requests.

EDIT: to explain more: I need a good and way to see if Request.Header.Referrer exists in the list of referrers i predefined to allow request, otherwise i bloc it and don't authorise method to be executed

Do i use AuthorizationFilter? why? and how? or do i need other type of filters like OperationFilter or others?

If you may explain to me in addition what the main differences that make me choose to work with this type of filter not another...

I searched for that in google but all i found is detailed very large implementation but i still don't see the difference between the most popular (used) type of filters and the reason on what we base our choices on.

Thanks in advance

EDIT: I tried to implement CORS but the problem is that CORS doesn't bloc requests like mentioned in this post... and the solution given is too much for a simple need like mine

Improve this question

1 Answer 1

Reset to default
2

You can make use of custom HttpHandlers to handle identifying the type of incoming requests. You could derive from System.Net.Http.DelegatingHandler and override the SendAsync method as below

public class RequestFilterHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        Task<HttpResponseMessage> responseTask;
        if (IsAuthorizedPostOrPutCall(request))
        {
           responseTask = base.SendAsync(request, cancellationToken).ContinueWith(task => task.Result);
        }
        else
        {                        
            responseTask = new Task<HttpResponseMessage>(() => new HttpResponseMessage(HttpStatusCode.Unauthorized));
            responseTask.Start()
        }
      return reponseTask;
    }
    private bool IsAuthorizedPostOrPutCall(HttpRequestMessage request)
    {
      var referrerList = //Assumption:Predefined list you get through a service 
      return referrerList.Contains(request.Headers.Referrer) && ( request.Method == HttpMethod.Post || request.Method == HttpMethod.Put);
    }
}

In your Global.asax.cs:

 GlobalConfiguration.Configuration.MessageHandlers.Add(new RequestFilterHandler());
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Will you block any call irrespective of it is Put/Post if it is not in referrer list?
The else part handles it. It will send unauthorized response if not in referrer list (post or put call)
Last question, how can i use this RequestFilterHandler ? and make general on all put post requests?
Just add this class in your webapi project. As i said this is a delegating handler, every request will hit the SendAsync method first. Based on the logic written in IsAuthorizedPostOrPutCall() it will further process the request by routing it to appropriate WebApiController or returns an un-authorized response
there is nothing to add in the webApi config or something like? just add the class and the handler will do the work?
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.