Click here to Skip to main content
14,241,414 members
Rate this:
Please Sign up or sign in to vote.
See more:
I'm implementing a Web API where I have different roles available. I have the below scenario which needs to be secured,

For example I have a method which says GetEmployeesDetails(ids), where I fetch the details of all the employees who are under the user who is accessing the method (logged in user) by the ids, I validate the user accessing the method Authorise Attribute. Now say suppose I have another valid user who has some other employees under him, but he hacks the system and provide some different ids as input to the method, the method will respond with the data. I want to validate that the input provided cannot be tampered or somehow validate whether the ids are under the user currently accessing the method. Has anyone come across such a scenario ? Any help in this regard will be appreciated.

Thanks

What I have tried:

I have validated the user accessing the method with whether he is authorised to access the data for the ids provided in input, but this adds to overhead to the workflow, is there any global concept which I can implement to handle such scenarios. This API will be public hence security is the major concern
Posted

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

There are a few ways to get there. The easy two are:

1. In the business layer, before returning data, check if the ids provided by the current user is valid or not.

2. Customize the Authorize filter.
Writing your own custom ASP.Net MVC [Authorize] attributes - Diary Of A Ninja[^]

You can also pass parameters to your custom attribute. This will enable you to conditionally execute logic blocks if needed.
c# - How to add 'pass parameter' to custom AuthorizeAttribute - Stack Overflow[^]
   
v3
Comments
sagar wasule 5-Feb-16 6:20am
   
Thanks debashishPaul for your response, I can check for the ids provided by the current user is valid or not or if the current user can access the resource he has asked for or else throw and unauthorized exception, but this scenario will be needed to check for each and every method in the web api. Is there any other way around where I can handle such scenarios globally ?
debashishPaul 5-Feb-16 21:36pm
   
yes... put that piece of logic in your custom Authorize attribute.
http://www.diaryofaninja.com/blog/2011/07/24/writing-your-own-custom-aspnet-mvc-authorize-attributes

You can also pass parameters to your custom attribute. This will enable you to conditionally execute logic blocks if needed.
http://stackoverflow.com/questions/15042821/how-to-add-pass-parameter-to-custom-authorizeattribute

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100