0

Pretty similar to this question here the current application that we are working on has a separate MVC 4 and WebApi 2 projects, where the MVC project is processing the user request to the WebApi which actually executes the business logic and then again the MVC is responsible for showing the result to the user. One thing that we can't figure out yet is how to authorize an user properly on both - the WebApi and MVC. The problem is - when for example, the session is expired we don't want the request for some resource to be processed back to the WebApi which then will make the check if the user actually is authorized to see this data, what we want to figure out is how to share a common logic for authorization when, say - the user, if his session is expired, is returned to the log on page, but if his status is OK to be processed to the WebApi where again the user could be checked if he has the rights to access some data.

I'll try to make the question more self-explenatory: I have solution with two projects - project1 - ASP.NET MVC 4 and project2 WebApi 2 project. The MVC project has more of representational functions and it's a layer between the user and the place where the actual business logic is implemented (the WebApi). So for example if I go to Products page, this call an action from MVC but here is the tricky part - the user may not be able to enter the Products page at all (session expired for example) in this case I don't want to proceed with calling the WebApi 2 method which eventually will take care and check if the user is authorazied or not to see this data, but instead in this case I want the MVC action to redirect the user to a LogIn page or something. And the other case - the user is successfully logged in, his session is not expired so the service responsible for fetching the products is called but at this point I want to check what kind of products the user has rights to see. So in both cases I need some sort of authorization, but the first time it should be done in the MVC project and the second time in the WebApi 2 project. And I'm not really sure if this is possible but I'm looking for a way to implement this authorization logic in one place and consume it where I need it instead of implementing something explicitly for the Mvc project and then something pretty much the same for the WebApi 2 project

Community
  • 1
Leron
  • 217
  • 1
  • 4
  • 14
  • Can you make your question a little clearer? What specific problem are you trying to solve? – Robert Harvey Apr 28 '15 at 17:09
  • @RobertHarvey The specific problem is how to define the user authorization logic in one place and being able to use it on two different projects, in this particular case - `MVC` and `WebApi 2` projects. – Leron Apr 28 '15 at 17:17
  • Well, there's a lot of words here, but it boils down to using the same authentication mechanism for both the web page and the API, right? – Robert Harvey Apr 28 '15 at 17:51
  • @RobertHarvey That's correct, sir! Just to be precise, more about authorization than authentication. But frequently they get together... – Leron Apr 28 '15 at 18:00
  • What prevents you from putting your authorization logic in a single assembly, and then referencing that assembly in both of your projects? – Robert Harvey Apr 28 '15 at 18:04
  • @RobertHarvey To be honest I wrote this question because I'm pretty much confused. This may be solution I'm just not sure how to implement it. Even some pseudo code would help. Also I was adviced by a more experienced programmer that there is/are feature(s) in `ASP.NET` which with little description in `web.config` (and maybe something else) does exactly the same, but it was him just saying stuff that he maybe read somewhere, someday, but it gave me confidence that maybe there's such a feature and I just don't know about it. That's pretty much all. – Leron Apr 28 '15 at 18:12
  • Alright. I'll do some research and write up an answer later today. – Robert Harvey Apr 28 '15 at 18:18

0 Answers0