HTTP Message Handler in Web API: Real Time Implementation of Message Handler

This is the “HTTP Message Handler in Web API” article series. In our previous two articles we learned the basic concepts of Message Handlers and the execution of HTTP custom Message Handlers. You can read them here.

HTTP Message Handler in Web API

In this article we will see a few real-time applications with a custom HTTP Message Handler. Though those examples are not full-fledge examples ready for a production server but they provide an idea of custom HTTP handlers.

As in the previous explanation we have learned that we can inject our custom Message Handler within a system Message Handler and we can form the handler chain. When a HTTP request arrives at the controller, it will pass through those custom handlers.

So, the custom handlers are a good place to perform some business logic and security implementation. For example there might be a condition in the Web API that only the HTTPS protocol can access the application. Let’s implement it in our custom Message Handler.

Allow only HTTP protocol to access the application

Step 1: Implementation of custom Message Handler

In this step we will implement a custom Message Handler that will filter the HTTP request. We have implemented a MessageHandler1 class derived from the DelegatingHandler class. Within that we are checking the HTTP type using a request object.

  1. public class MessageHandler1 : DelegatingHandler  
  2. {  
  3.     protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage       request, CancellationToken cancellationToken)  
  4.     {  
  5.         if (!String.Equals(request.RequestUri.Scheme, "https", StringComparison.OrdinalIgnoreCase))  
  6.         {  
  7.             return await Task.Factory.StartNew(() =>  
  8.             {  
  9.                 return new HttpResponseMessage(HttpStatusCode.BadRequest)  
  10.                 {  
  11.                     Content = new StringContent("HTTPS is Required to access the application")  
  12.                 };  
  13.             });  
  14.         }  
  15.         return await base.SendAsync(request, cancellationToken);  
  16.     }  
  17. }   

When the type is HTTP, we are creating one response message with response type “Bad Request”. In other words, we are not allowing the request to move towards a controller and within the custom Message Handler we are generating a response.

Step 2: Register the custom Message Handler

If it is necessary to register a custom Message Handler then we can inject our own Message Handler logic into a HTTP request and response pipeline.

  1. protected void Application_Start()  
  2. {  
  3.    WebApiConfig.Register(GlobalConfiguration.Configuration);  
  4.    GlobalConfiguration.Configuration.MessageHandlers.Add(new MessageHandler1());  
  5. }   

Step 3: Implement sample controller

This is a small stub controller that we will call from a browser window. We have just modified the default values of the controller by adding a Get() action.

  1. public class ValuesController : ApiController  
  2. {  
  3.     //api/Get  
  4.     public string[] Get()  
  5.     {  
  6.         return new string[] { "Sourav""Kayal" };  
  7.     }  
  8. } 

Yes, we have configured all settings, now let’s run the application. If we are lucky enough then we will see the following output screen.

So the response is returning from our custom Message Handler.

custom message handler

Restrict specific method in custom Message Handler

Again, your business requirement might be that you will not allow specific HTTP requests to your controller. Within a custom Message Handler we can check the HTTP request type, if it is a GET request then we will drop the request there and we will return one custom response message. Have a look at the following code.

Here is the complete code of the Global.aspx page

In the MessageHandler1 class we are checking the request type using a method property of the request object. And if it is a GET then generate our custom response otherwise process the request for the next Message Handler.

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Diagnostics;  
  4. using System.Linq;  
  5. using System.Net;  
  6. using System.Net.Http;  
  7. using System.Threading;  
  8. using System.Threading.Tasks;  
  9. using System.Web;  
  10. using System.Web.Http;  
  11. using System.Web.Http.Filters;  
  12. using System.Web.Http.WebHost;  
  13. using System.Web.Mvc;  
  14. using System.Web.Optimization;  
  15. using System.Web.Routing;  
  16. using System.Web.SessionState;  
  17. namespace TestWEB_API  
  18. {  
  19.     public class WebApiApplication : System.Web.HttpApplication  
  20.     {  
  21.         protected void Application_Start()  
  22.         {   
  23.             WebApiConfig.Register(GlobalConfiguration.Configuration);  
  24.             GlobalConfiguration.Configuration.MessageHandlers.Add(new MessageHandler1());  
  25.             FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);  
  26.             RouteConfig.RegisterRoutes(RouteTable.Routes);  
  27.             BundleConfig.RegisterBundles(BundleTable.Bundles);  
  28.         }  
  29.     }  
  30.     public class MessageHandler1 : DelegatingHandler  
  31.     {  
  32.         protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)  
  33.         {  
  34.             if (request.Method == HttpMethod.Get)  
  35.             {  
  36.                 var response = new HttpResponseMessage(HttpStatusCode.OK)  
  37.                 {  
  38.                     Content = new StringContent("GET method is not allowed in this application")  
  39.                 };            
  40.                 var tsc = new TaskCompletionSource<HttpResponseMessage>();  
  41.                 tsc.SetResult(response);    
  42.                 return await tsc.Task;  
  43.             }  
  44.             else  
  45.             {  
  46.                 var response = await base.SendAsync(request, cancellationToken);  
  47.                 return response;  
  48.             }              
  49.         }  
  50.     }  
  51. }

The following is the implementation of the sample controller of which we will call using a GET request.

  1. public class ValuesController : ApiController  
  2. {  
  3.     //api/Get  
  4.     public string[] Get()  
  5.     {  
  6.         return new string[] { "Sourav""Kayal" };  
  7.     }  
  8. } 

Now when we try to reach the preceding controller‘s Get() action we will encounter the following output. It’s throwing the custom response that we have set in our own Message Handler.

message handler


In this article, we have learned a few important tips that we can implement in a custom Message Handler. I hope they will help you to implement better and secure Web API applications. Keep reading this series. I will return shortly with a few more tips and examples.

Similar Articles