Role-Based Basic Authentication in Web API
Back to: ASP.NET Web API Tutorial
Role-Based Basic Authentication is a security mechanism that not only authenticates users but also checks their roles or permissions before granting access to specific resources in a Web API. In this comprehensive lesson, we’ll explore how to implement Role-Based Basic Authentication in ASP.NET Web API with SQL Server for user management, and provide code examples to demonstrate the process.
Prerequisites
Before proceeding, make sure you have the following prerequisites:
- SQL Server database for user management.
- Basic understanding of ASP.NET Web API and SQL Server.
Implementation Steps
1. Database Setup
Create a SQL Server database to store user information. Create two tables: Users
to store user credentials and UserRoles
to associate users with roles.
2. User Registration
When a user registers, store their credentials (username and password hash) in the Users
table.
public void RegisterUser(string username, string password) { string salt = GenerateSalt(); // Generate a random salt string passwordHash = HashPassword(password, salt); // Hash the password with the salt // Store username, passwordHash, and salt in the Users table }
3. Role Assignment
Create roles in the UserRoles
table and associate users with their respective roles.
public void AssignUserRole(string username, string roleName) { // Associate the user with the specified role in the UserRoles table }
4. Authentication Middleware
Implement an authentication middleware that checks for Basic Authentication credentials in the Authorization
header and verifies the user’s role.
public class RoleBasedAuthenticationMiddleware { private readonly RequestDelegate _next; public RoleBasedAuthenticationMiddleware(RequestDelegate next) { _next = next; } public async Task Invoke(HttpContext context) { string authHeader = context.Request.Headers["Authorization"]; if (!string.IsNullOrEmpty(authHeader) && authHeader.StartsWith("Basic ")) { string encodedCredentials = authHeader.Substring("Basic ".Length).Trim(); string credentials = Encoding.UTF8.GetString(Convert.FromBase64String(encodedCredentials)); string[] parts = credentials.Split(':'); string username = parts[0]; string password = parts[1]; // Validate username and password against the database if (IsValidUser(username, password)) { // Check the user's role if (IsUserInRole(username, "Admin")) { // User is authorized as an admin await _next.Invoke(context); return; } } } // Unauthorized access context.Response.Headers["WWW-Authenticate"] = "Basic realm=\"Your API\""; context.Response.StatusCode = (int)HttpStatusCode.Unauthorized; } }
5. Securing API Endpoints
Apply the RoleBasedAuthenticationMiddleware
to the API endpoints that require role-based authentication.
[Route("api/admin")] [Authorize(Roles = "Admin")] public class AdminController : ApiController { [HttpGet] [Route("data")] public IHttpActionResult GetAdminData() { // This endpoint is secured with Role-Based Basic Authentication // Only authenticated users with the "Admin" role can access it var data = GetAdminSensitiveData(); return Ok(data); } }
In this example, the [Authorize(Roles = "Admin")]
attribute is applied to the AdminController
. This means that only authenticated users with the “Admin” role can access the GetAdminData
endpoint.
In an ASP.NET Web API application that uses Role-Based Basic Authentication with SQL Server, you can access the user’s role name within a controller using the User property of the ApiController class. Here’s how you can retrieve the user’s role name:
using System.Web.Http; public class MyController : ApiController { public IHttpActionResult MyAction() { // Get the user's role name string roleName = User.Identity.Name; // Now you can use the roleName in your controller logic if (string.Equals(roleName, "Admin", StringComparison.OrdinalIgnoreCase)) { // User has the "Admin" role // Implement your logic for admin users } else if (string.Equals(roleName, "User", StringComparison.OrdinalIgnoreCase)) { // User has the "User" role // Implement your logic for regular users } else { // User doesn't have a recognized role // Handle it accordingly } // Continue with your controller logic return Ok("Action completed"); } }
In this example, we use User.Identity.Name
to retrieve the user’s role name. You can then use this role name in your controller logic to determine what actions or data the user is authorized to access based on their role.
Conclusion
Role-Based Basic Authentication in ASP.NET Web API with SQL Server adds an extra layer of security by controlling access to resources based on user roles or permissions. By following the steps outlined in this lesson and implementing the provided code examples, you can create a role-based authentication system that ensures only authorized users with specific roles can access protected resources in your API.