Security Options And Scope In Web API

You might have gone through various articles on Web API security levels and options. This article is intend to give you a straight & short overview on it rather holding you for much time.

Well, Web API can be secured by implementing security inside Action-Filters / Message handlers. Thus, we have the following places to write/implement our security-
  • Authentication Filters
  • Authorization Filters
  • Action Filters
  • Message Handlers

Apart from these internal implementations, we can also take the benefit of the following:

  • HOST level security

Web API pipeline is a great mechanism which lets developers to extend the behavior.  A request is get processed by actual method only after crossing certain level of predefined stages. ex. – Handlers & Filters. It enables us to implement our security at granular level (at any level, even at method level.

The following image illustrates the same: Web API Security levels and types

(pic: Web API 2.0 Security Levels)

Thus, we have many options to implement the security at many levels. We can set globally as well as up to method/function level. 

Let’s explore hosting level security options.  Earlier we had only IIS host but nowadays technology has evolved much and given us more options to host our applications. OWIN host is one of the leading approach to break down the IIS barrier. The following are the approaches for security implementations in these duos (IIS & Owin)-

  • OWIN Middleware– If using OWIN hosting
  • Http Modules– If using IIS hosting 

Simplifying the things give us the following picture to know these security options.

Web API Security options - OWIN middleware

You may also refer this article - Understanding Web API.