5

There are some action methods in my WebAPI 2 application where I would like to disable remote accessibility (scheduled administrative tasks). Other action methods should be publicly available. Is an ActionFilter the best bet in this case?

RredCat
  • 5,259
  • 5
  • 60
  • 100
Mike Cole
  • 14,474
  • 28
  • 114
  • 194

2 Answers2

10

I think that cross-origin resource sharing (CORS) will help your if you have local url for your site. You can apply list of origins for public actions and only local origin for your secured actions. For example:

Local:

[EnableCors(Origins = new[] { "http://localhost", "http://sample.com" })]
public class ValuesController : ApiController
{
......
}

and secured:

[EnableCors(origins: "http://localhost")]
public class ValuesController : ApiController
{
......
}

You can find out more details by the next links: CORS support for ASP.NET Web API and Scope Rules for [EnableCors]

Brant Olsen
  • 5,628
  • 5
  • 36
  • 53
RredCat
  • 5,259
  • 5
  • 60
  • 100
  • Thanks for this suggestion. I wouldn't have thought of doing it this way. – Mike Cole Dec 23 '13 at 21:23
  • wouldn't this only prevent calls from a browser? Wouldn't server-side calls from off-machine still be allowed, assuming open ports and whatnot? – user323774 Jun 23 '16 at 20:17
  • @user323774 I developed mobile app that used my API, and I couldn't reach my API before I allowed to enable cors attribute (EnableCorsAttribute("*", "*", "*");) – RredCat Jun 27 '16 at 08:23
  • The disadvantage is that CORS requires at least MVC 5. – Rosberg Linhares Jul 01 '16 at 19:55
  • @RosbergLinhares I quick googled around and found that somebody used it with v4 as well - https://dotnettrace.net/2013/10/01/cross-origin-resource-sharing-using-access-control-allow-origin-in-mvc-4/ . Frankly, I haven't checked this article deeply, so possible that he did something wrong. – RredCat Jul 04 '16 at 09:25
  • @RredCat In this link the autor is implementing CORS from scratch. I really expressed wrong. I meant that the https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Cors/ package is only compatible with MVC 5. – Rosberg Linhares Jul 11 '16 at 19:44
5

FROM book "Pro ASP.NET MVC 4 4th edition":

public class CustomActionAttribute : FilterAttribute, IActionFilter { 
    public void OnActionExecuting(ActionExecutingContext filterContext) { 
        if (filterContext.HttpContext.Request.IsLocal) { 
            filterContext.Result = new HttpNotFoundResult(); 
        } 
    }

    public void OnActionExecuted(ActionExecutedContext filterContext) { 
        // not yet implemented 
    } 
}
Brant Olsen
  • 5,628
  • 5
  • 36
  • 53
opewix
  • 4,993
  • 1
  • 20
  • 42
  • I'm sure you'll understand how to make this example to work as desired :) – opewix Dec 23 '13 at 19:11
  • 1
    Nice answer, although, I see it a lot; I am having some troubles with the `404 Not Found` which is returned. I would say a `403 Forbidden` is more appropriate. – Stefan Feb 04 '18 at 09:50
  • @Stefan there is an answer for your question: https://stackoverflow.com/questions/5649852/asp-net-web-service-i-would-like-to-return-error-403-forbidden – opewix Feb 05 '18 at 11:23