How to make an authorized HttpWebRequest ASP.NET MVC web application
I have an ASP.NET MVC web application that needs to allow a public API to upload files. Here is the action code:
public ActionResult DownloadFile(int id)
{
var item = _context.GetRepositoryFileByID(id);
if (item == null)
{
return HttpNotFound();
}
var filePath = Path.Combine(AppConfig.FilesRepositoryStorageRoot, item.IntrenalFilePath);
return File(filePath, "application/pdf");
}
this method is a controller with an attribute [Authorize(Roles = "Administrator,User")]
set to it, so only the logged in user can access this action.
this action should now allow users to make a request using the following code:
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(new Uri(fileDownloadUrl));
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
what I am missing is how to pass the authorized HttpWebRequest
into the action DownloadFile
.
everything i tried will return the login page because the app cannot authorize the user and allow him to access the action DownloadFile
.
I tried to pass this Cookie value to the website that is requesting the file using the following code
var authCookie = FormsAuthentication.GetAuthCookie(User.Identity.Name, true);
var authCoockieValue = authCookie.Value;
The website then used this value like this:
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(new Uri(fileDownloadUrl));
request.Headers[HttpRequestHeader.Authorization] = "Bearer " + authorization;
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
but it didn't work. I also tried to pass the title using "Basic" instead of the "Bearer" tag, but that is also a field.
I agree that I don't really understand how an ASP.NET MVC application uses the [Authorize]
c attribute FormsAuthentication
, so I humbly ask for your help ...
source to share
I found a solution. You need to add an Authentication Cookie in the HttpWebRequest
following way:
Uri fileDownloadURI = new Uri(fileDownloadUrl);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(fileDownloadURI);
request.Headers[HttpRequestHeader.Authorization] = "Bearer " + authorization;
var authCookie = FormsAuthentication.GetAuthCookie(User.Identity.Name, true);
Cookie requestAuthCoockie = new Cookie()
{
Expires = authCookie.Expires,
Name = authCookie.Name,
Path = authCookie.Path,
Secure = authCookie.Secure,
Value = authCookie.Value,
Domain = fileDownloadURI.Host,
HttpOnly = authCookie.HttpOnly,
};
request.CookieContainer = new CookieContainer();
request.CookieContainer.Add(requestAuthCoockie);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
source to share
Depends on what kind of authentication you are using. Generally, just simulate what the browser does when the user logs in (you should know based on your web.config code, or you can use a web debugging tool to capture web requests). In the case of login form and cookies, just call the login action from your HttpWebRequest and use the CookieContainer so that the resulting cookie is saved for the next request. Or you can create a new authentication API or even a completely new web application with different authentication.
source to share