Authentication and Authorization in Web API -Part1

The Authentication technique used mainly by token based with OWIN, Step was to register a user , We created a appliction form to submit the user credentials to the WEB API Post Mehtod and saved in the database . We have built a repository class which interacts with the database and gives the required result-set when requested for , We have also introduced a Business Layer which handles the business logics and acts as model for the controller . The implementations of the Authentication and Authorization is done from this site .

http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

The Controller Class

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using WebApiDemo.Models;

namespace WebApiDemo.Controllers
{
public class EmployeeController : ApiController

{ [Authorize]
[HttpGet]
public IEnumerable<Employee> GetEmployee()
{
BusinessLayer b = new BusinessLayer();
return b.getEmployees();

}
/*
* Test U-http://localhost:8322/api/Employee/GetEmployee?gender=female
* U-http://localhost:8322/api/Employee/GetEmployee?gender=male
* U-http://localhost:8322/api/Employee/GetEmployee?gender=all
*
* */
[Authorize]
[HttpGet]
public HttpResponseMessage GetEmployee(string gender)
{
try
{
BusinessLayer bl = new BusinessLayer();
switch(gender.ToLower())
{

case "all":
{
return Request.CreateResponse(HttpStatusCode.OK,bl.getEmployees().ToList());
}
case "female":
{
var emp = bl.getEmployees().Where(Row => Row.gender == "Female").ToList();
return Request.CreateResponse(HttpStatusCode.OK, emp);
}
case "male":
{
var emp = bl.getEmployees().Where(Row => Row.gender == "Male").ToList();
return Request.CreateResponse(HttpStatusCode.OK, emp);
}
default:
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, "Values must be All,male,female " + gender + " is invalid");

}
}
catch (Exception ex)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ex.Message);
}
}

[Authorize]
[HttpPost]
public HttpResponseMessage PostEmployee([FromBody]Employee emp)
{
BusinessLayer b = new BusinessLayer();
string result;
try
{
result=b.postEmployee(emp);

if(result=="Failure")
{
throw new Exception();
}
var message = Request.CreateResponse(HttpStatusCode.Created, emp);
message.Headers.Location = new Uri(Request.RequestUri + emp.Id.ToString());
return message;
}
catch (Exception e)
{
var message = Request.CreateErrorResponse(HttpStatusCode.BadRequest, e);
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, e);
}
}

[Authorize]
[HttpDelete]
public HttpResponseMessage DeleteEmployee(int Id)
{
try
{
BusinessLayer b = new BusinessLayer();
var emp = b.getEmployees().Where(x => x.Id == Id).Select(v=> v.firstName).ToList();
if (emp.Count == 0)
{
return Request.CreateErrorResponse(HttpStatusCode.NotFound, " EmployeeId " + Id.ToString() + " do Not Exists");
}
else
{
b.deleteEmployee(Id);
return Request.CreateResponse(HttpStatusCode.OK);
}
}
catch (Exception e)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, e);
}

}
/*
Testing : {"Id":1,"firstName":"Hari","lastName":"Singh","gender":"female","Salary":25000} Json value to be sent from FormBody
* {"email":"amit.mazumder@sbc.com","password":"hello","confirmPassword:"hello" }
*/
//[Authorize]
[HttpPut]
public HttpResponseMessage Put(int Id,[FromBody]Employee emp)
{
try
{
BusinessLayer bl = new BusinessLayer();
var em = bl.getEmployees().Where(row => row.Id == Id).Select(v => v.firstName).ToList();
if (em.Count == 0)
{
return Request.CreateErrorResponse(HttpStatusCode.NotFound, "Employee Id" + Id.ToString() + "Do not Exists");
}
else
{
bl.UpdateEmployee(Id, emp);
return Request.CreateResponse(HttpStatusCode.OK, emp);
}
}

catch(Exception ex)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ex.Message);
}

}

[HttpPost]
public HttpResponseMessage Register([FromBody]RegisterModel emp)
{
try
{
BusinessLayer b = new BusinessLayer();
b.RegisterUser(emp);
return Request.CreateResponse(HttpStatusCode.OK, "User " + emp.email + " added");
}
catch(Exception e)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, e.Message);
}

}

}
}

Repository layer class - which interacts with the database

using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Data;
using System.Data.SqlClient;

/*
Data Source=APOTHEOSIS113\SQLEXPRESS;Initial Catalog=WebApiDb;Integrated Security=True;Pooling=False
*/

namespace WebApiDemo
{
public class RepositoryLayer
{

public DataTable getEmployee()
{
String cs=ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;

DataTable dt = new DataTable();
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand cmd = new SqlCommand("Select * from Employee", conn))
{
conn.Open();
SqlDataAdapter ap = new SqlDataAdapter(cmd);
ap.Fill(dt);

}

}
return dt;

}

public string postEmployee(int param1,string param2,string param3,string param4,int param5)
{
String cs = ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;
string command="insert into Employees values ("+ param1+",'"+param2+"','"+param3+"','"+param4+"',"+param5+")";
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand cmd = new SqlCommand(command, conn))
{

conn.Open();
try
{
cmd.ExecuteNonQuery();
return "Success";
}
catch(Exception e)
{
return "Failure";
}

}
}

}
public void deleteEmployee(int Id)
{
String cs = ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;
string command = "delete from Employee where Id=" + Id;
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand cmd = new SqlCommand(command, conn))
{

conn.Open();
cmd.ExecuteNonQuery();

}
}

}
public void UpdateEmployee(int param1, string param2, string param3, string param4)
{
String cs = ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;
string command = "Update Employee Set First_Name='" + param2 + "' ,Last_Name='" + param3 + "' ,Gender='" + param4 + "' where Id=" + param1;
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand cmd = new SqlCommand(command, conn))
{
try
{
conn.Open();
cmd.ExecuteNonQuery();
}
catch (Exception ex)
{
throw ex;
}

}
}

}
public void registerEmployee(string param1, string param2, string param3)
{
String cs = ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;
SqlConnection conn=new SqlConnection(cs);
SqlCommand cmd = new SqlCommand("Register_User", conn);
conn.Open();
cmd.CommandType = CommandType.StoredProcedure;

cmd.Parameters.Add(new SqlParameter("Email",param1));
cmd.Parameters.Add(new SqlParameter("Password", param2));
cmd.Parameters.Add(new SqlParameter("ConfirmPassword", param3));
try
{
cmd.ExecuteNonQuery();
conn.Close();
}
catch(Exception Ex)
{
throw Ex;
}
}

public DataTable getUser(string email, string password)
{
String cs = ConfigurationManager.ConnectionStrings["WebApiEmp"].ConnectionString;
DataTable dt = new DataTable();
string commad="select * from [User] where Email='"+email+"' and Password='"+password+"'";

using (SqlConnection conn = new SqlConnection(cs))
{
using(SqlCommand cmd= new SqlCommand(commad,conn))
{
conn.Open();
try
{
SqlDataAdapter ap = new SqlDataAdapter(cmd);
ap.Fill(dt);
}
catch (Exception ex)
{
throw ex;
}

}
}
return dt;
}


}

}

The Business Layer class which interacts with the Repository class and provides data to the

Controller , All our business logics are embedded in this class

using System;

using System.Collections.Generic;

using System.Data;

using System.Linq;

using System.Web;

using WebApiDemo.Models;

namespace WebApiDemo

{

public class BusinessLayer

{

public RepositoryLayer RL;

public BusinessLayer()

{

RL = new RepositoryLayer();

}

public IEnumerable<Employee> getEmployees()

{

DataTable dt=RL.getEmployee();

IEnumerable<Employee> employeeList=dt.AsEnumerable().Select(x => new Employee

{

Id = Convert.ToInt32(x["Id"]),

firstName = Convert.ToString(x["First_Name"]),

lastname = Convert.ToString(x["Last_Name"]),

gender = Convert.ToString(x["Gender"]),

salary = Convert.ToInt32(x["Salary"])

});

return employeeList;

}

public string postEmployee(Employee emp)

{

int Id=emp.Id;

string firstNam=emp.firstName;

string lastName= emp.lastname;

string gender= emp.gender;

int salary=emp.salary;

return RL.postEmployee(Id, firstNam, lastName, gender, salary);

}

public void deleteEmployee(int Id)

{

RL.deleteEmployee(Id);

}

public void UpdateEmployee(int Id, Employee emp)

{

string firstName = emp.firstName;

string lastName = emp.lastname;

string gender = emp.gender;

RL.UpdateEmployee(Id, firstName, lastName, gender);

}

public void RegisterUser(RegisterModel regmodel)

{

RL.registerEmployee(regmodel.email, regmodel.password, regmodel.confirmPassword);

}

public IEnumerable<RegisterModel> FindUser(string email, string password)

{

DataTable dt=RL.getUser(email, password);

IEnumerable<RegisterModel> user =dt.AsEnumerable().Select(row => new RegisterModel

{

email=Convert.ToString(row["Email"]),

password=Convert.ToString(row["Password"]),

confirmPassword=Convert.ToString(row["ConfirmPassword"])

});

return user;

}

The Model - Employee Class

using System;

using System.Collections.Generic;

using System.Data;

using System.Linq;

using System.Web;

using WebApiDemo.Models;

namespace WebApiDemo

{

public class BusinessLayer

{

public RepositoryLayer RL;

public BusinessLayer()

{

RL = new RepositoryLayer();

}

public IEnumerable<Employee> getEmployees()

{

DataTable dt=RL.getEmployee();

IEnumerable<Employee> employeeList=dt.AsEnumerable().Select(x => new Employee

{

Id = Convert.ToInt32(x["Id"]),

firstName = Convert.ToString(x["First_Name"]),

lastname = Convert.ToString(x["Last_Name"]),

gender = Convert.ToString(x["Gender"]),

salary = Convert.ToInt32(x["Salary"])

});

return employeeList;

}

public string postEmployee(Employee emp)

{

int Id=emp.Id;

string firstNam=emp.firstName;

string lastName= emp.lastname;

string gender= emp.gender;

int salary=emp.salary;

return RL.postEmployee(Id, firstNam, lastName, gender, salary);

}

public void deleteEmployee(int Id)

{

RL.deleteEmployee(Id);

}

public void UpdateEmployee(int Id, Employee emp)

{

string firstName = emp.firstName;

string lastName = emp.lastname;

string gender = emp.gender;

RL.UpdateEmployee(Id, firstName, lastName, gender);

}

public void RegisterUser(RegisterModel regmodel)

{

RL.registerEmployee(regmodel.email, regmodel.password, regmodel.confirmPassword);

}

public IEnumerable<RegisterModel> FindUser(string email, string password)

{

DataTable dt=RL.getUser(email, password);

IEnumerable<RegisterModel> user =dt.AsEnumerable().Select(row => new RegisterModel

{

email=Convert.ToString(row["Email"]),

password=Convert.ToString(row["Password"]),

confirmPassword=Convert.ToString(row["ConfirmPassword"])

});

return user;

}

The Register Model

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

namespace WebApiDemo.Models

{

public class RegisterModel

{

public string email { get; set; }

public string password { get; set; }

public string confirmPassword { get; set; }

}

The DataBase Tables

SimpleAuthorizationServerProvider class which checks all the requests and marks either authenticated and authorised

using Microsoft.Owin.Security.OAuth;

using System;

using System.Collections.Generic;

using System.Linq;

using System.Security.Claims;

using System.Threading.Tasks;

using System.Web;

using WebApiDemo.Models;

namespace WebApiDemo.Provider

{

public class SimleAuthorizationServerProvider:OAuthAuthorizationServerProvider

{

public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)

{

context.Validated();

}

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)

{

context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

BusinessLayer bl = new BusinessLayer();

var R1 = bl.FindUser(context.UserName, context.Password);

if (R1 == null)

{

context.SetError("Invalid User");

return;

}

var identity = new ClaimsIdentity(context.Options.AuthenticationType);

identity.AddClaim(new Claim("sub", context.UserName));

identity.AddClaim(new Claim("role", "user"));

context.Validated(identity);

}

We have to create a startup.cs class which will be used to validate any incoming request

using Microsoft.Owin;

using Microsoft.Owin.Security.OAuth;

using Owin;

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.Http;

using WebApiDemo.Provider;

[assembly:OwinStartup(typeof(WebApiDemo.Startup))]

namespace WebApiDemo

{

public class Startup

{

public void Configuration(IAppBuilder app)

{

HttpConfiguration config = new HttpConfiguration();

ConfigureOAuth(app);

WebApiConfig.Register(config);

//app.UserCors(Microsoft.Owin.Cors.CorsOption.AllowAll);

app.UseWebApi(config);

}

public void ConfigureOAuth(IAppBuilder app)

{

OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()

{

AllowInsecureHttp = true,

TokenEndpointPath = new PathString("/token"),

AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),

Provider = new SimleAuthorizationServerProvider()

};

// Token Generation

app.UseOAuthAuthorizationServer(OAuthServerOptions);

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

}

A Registration.htmls page is created to register new users

<!DOCTYPE html>

<head>

</head>

<thead>

New User Registration

</td>

</tr>

</thead>

<tbody>

<tr>

<td>Email</td>

<td>

</td>

</tr>

<tr>

<td>Password</td>

<td>

</td>

</tr>

<tr>

<td>Confirm Password</td>

<td>

</td>

</tr>

</td>

</tr>

</tbody>

</table>

<h4>Success</h4>

</div>

<h2> Registration Successful</h2>

</div>

<button data-dismiss="modal" class="btn btn-success" type="button">Close</button>

</div>

</div>

$(document).ready(function () {

$('#linkClose').click(function () {

$('#divErrorTest').hide('fade');

});

$('#btnRegister').click(function () {

$ajax({

url: 'api/Employee/Register',

method : 'POST',

data : {

email : $('#txtEmail').val(),

password : $('#txtPassword').val(),

confirmPassword : $('#txtPasswordConfirm').val()

success:function(){

$('#successModel').modal('show');

error:function(jqXHR){

$('#divErrorTest').text(jqXHR.responseText);

$('#divError').show('fade');

}

$('#successModel').modal('show');

});

</script>

</body>

</html>

WebConfig File -

<?xml version="1.0" encoding="utf-8"?>

<!--

For more information on how to configure your ASP.NET application, please visit

http://go.microsoft.com/fwlink/?LinkId=169433

-->

</configSections>

</connectionStrings>

</appSettings>

<system.web>

<pages>

</namespaces>

</pages>

</providers>

</profile>

</providers>

</membership>

</providers>

</roleManager>

</providers>

</sessionState>

</system.web>

<system.webServer>

</handlers>

</system.webServer>

</dependentAssembly>

</dependentAssembly>

</dependentAssembly>

</dependentAssembly>

</dependentAssembly>

</dependentAssembly>

</dependentAssembly>

</assemblyBinding>

</runtime>

</entityFramework>

</configuration>

List of references and packages or dll required

<?xml version="1.0" encoding="utf-8"?>

</packages>

Search This Blog

kohuwa

Authentication and Authorization in Web API -Part1

Comments

Post a Comment

Popular posts from this blog

My Gardening Journey 2

My Gardening Journey 6