Https and Http only on .net webapi v2 action
I am working on a project with webapi 2 using toereh 2 (openid connect to exact) bearer tokens to grant access. Now the whole idea is that bearer tokens are only secure when used with a secure connection.
Until now, I just didn't allow HTTP calls to the webserver, which worked as no one could make an HTTP call with the bearer token.
We now have some endpoints that need to be accessible over http (no token / script required for that) and we're going to enable HTTP of course. Now my question is, what is normal in these situations?
I have an attribute that I can use for all actions that only accept https? Can I make it the default and only put the attribute on the ones that fit http?
What is the advice, is it our responsibility to ensure that no one is using the oauth token on an unsafe string, or is it an api user?
source to share
I believe the correct way to do this is to add a global action filter that will force you to use HTTP files for all controllers / actions in your web API. The implementation of this HTTP action filter could be as follows:
public class ForceHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var request = actionContext.Request;
if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
var html = "<p>Https is required</p>";
if (request.Method.Method == "GET")
{
actionContext.Response = request.CreateResponse(HttpStatusCode.Found);
actionContext.Response.Content = new StringContent(html, Encoding.UTF8, "text/html");
UriBuilder httpsNewUri = new UriBuilder(request.RequestUri);
httpsNewUri.Scheme = Uri.UriSchemeHttps;
httpsNewUri.Port = 443;
actionContext.Response.Headers.Location = httpsNewUri.Uri;
}
else
{
actionContext.Response = request.CreateResponse(HttpStatusCode.NotFound);
actionContext.Response.Content = new StringContent(html, Encoding.UTF8, "text/html");
}
}
}
}
Now you want to register this globally in the WebApiConfig class like this:
config.Filters.Add(new ForceHttpsAttribute());
As I understand from your question, the number of controllers you want to call over https is greater than the controllers over http, so you want to add an override attribute for those http controllers. [OverrideActionFiltersAttribute]
Don't forget to include your anonymous controllers with the attribute [AllowAnonymous]
. But my recommendation is to keep communicating over https and you just allow anonymous calls. Read more about securing https on my blog here: http://bitoftech.net/2013/12/03/enforce-https-asp-net-web-api-basic-authentication/
Hope this helps.
source to share
First, I believe that you definitely need to do your best to keep this token secure and therefore the server must enforce SSL.
We are using web api v1 (infrastructure constraints :() and we have a global DelegatingHandler that enforces SSL for all requests except for certain urls that are whitelisted (not the nicest solution, but it works for now).
In web api 2, I believe you can have a global FilterAttribute to enable SSL connectivity and then use the new attribute override feature http://dotnet.dzone.com/articles/new-filter-overrides-feature to get yours exceptions - the whole theory! :)
Hope this helps Garrett
source to share