Secure your custom ServiceStack web service
In case your custom web service works with sensitive data it’s best to protect it and have the service methods execute only for authenticated users. To achieve that you must first implement the logic to protect your web service methods, and then use Sitefinity CMS Identity Server to authenticate and authorize requests to your service.
First part: Protect your web service methods
The Sitefinity CMS API exposes an easy mechanism for securing your web service methods. You can call the
RequestBackendUserAuthentication method of the
ServiceUtility class, inside your web service logic. For example, this is how to secure the web service we demonstrated in the Implement a web service to delete orphaned user profiles tutorial:
This way, when Sitefinity CMS handles requests to your web service route, it will serve the request only for authenticated backend users. Otherwise Sitefinity CMS returns a status code 403 – Unauthorized.
Second part: Use a token to authenticate when calling your web service
Once you secure your web service using the above described mechanism, Sitefinity CMS serves the requests to the protected methods only if you are logged in as a backend user in the browser you are requesting the web service from.
However, the more common scenario is to call the web service from another client, not in the browser, where you are already logged in to the website backend. When calling the service from an external client you need to obtain a token using valid backend user credentials, and then append this token when calling the web service.
Enable access token validation for your web service route
For this mechanism to work, first you need to plug in to the OWIN Middleware pipeline and register a middleware that will authenticate requests for your web service route, via access token validation.
You need to do that by adding a new OWIN
Startup class. Inside the
Configuration method of your
Startup class, first register the default Sitefinity middleware, by calling the
UseSitefinityMiddleware extension method.
NOTE: Loading the
SitefinityMiddleware first is a prerequisite for Sitefinity CMS to operate properly.
Afterwards, you must branch the pipeline, using the
Map extension method.
Map acts as a filter – it enables you to specify a path and configure a separate middleware for that path. In our case the path is your web service route, and the middleware you must use is
IdentityServerBearerTokenAuthentication. This way, when a request comes in for your web service route, it will be processed by the configured
IdentityServerBearerTokenAuthentication, and the token you have passed with the request can be processed by IdentityServer to validate whether to serve the requested web service method or return an Unauthorized status code. For more information about hooking OWIN Middleware into Sitefintiy CMS see this blog post: Hook OWIN Middleware into Sitefinity.
Here’s an example how to implement an OWIN Startup class and map a configured
IdentityServerBearerTokenAuthentication middleware for the two routes used in the
DeleTeOrphanedUsersProfile service from the Implement a web service to delete orphaned user profiles tutorial:
Once you implement the OWIN
Startup class you must register it in your Sitefintiy CMS website web.config
<appSettings> section. This way you instruct the OWIN Application that your custom Startup class should be used instead of using the default OWIN Middleware pipeline.
To do that, add the following line in your web.config
If you want to learn more about the mechanism for detecting the OWIN
Startup class, see this Microsoft Documentation article on OWIN and Katana Startup Class Detection.
Configure Identity Server for external authentication, request an access token and use it when calling your web service
Next you must configure the Identity Server, used by Sitefinity CMS to facilitate authentication from external clients. This is necessary, so you can obtain an access token and use that token when making calls to your web service. See the instructions listed in Request a token by a trusted client for detailed steps on how to configure the Sitefinity CMS IdentityServer settings to support external authentication and how to obtain an access token.
Once you obtain a token, use it when making calls to your web service. The sample, provided in the Request a token by a trusted client article demonstrates how to make a service call and pass the token you obtained. The
IdentityServerBearerTokenAuthentication middleware you mapped for your web service route will process the token and validate it. Upon successful validation Sitefinity CMS will process the web service request and return the data.