Secure your custom ServiceStack web service
Overview
In case your custom web service works with sensitive data it’s best to protect it and have the service methods execute only for authenticated users. To achieve that you must first implement the logic to protect your web service methods, and then use Sitefinity CMS Identity Server to authenticate and authorize requests to your service.
First part: Protect your web service methods
The Sitefinity CMS API exposes an easy mechanism for securing your web service methods. You can call the RequestBackendUserAuthentication
method of the ServiceUtility
class, inside your web service logic. For example, this is how to secure the web service we demonstrated in the Implement a web service to delete orphaned user profiles tutorial:
This way, when Sitefinity CMS handles requests to your web service route, it will serve the request only for authenticated backend users. Otherwise Sitefinity CMS returns a status code 403 – Unauthorized.
Second part: Use a token to authenticate when calling your web service
Once you secure your web service using the above described mechanism, Sitefinity CMS serves the requests to the protected methods only if you are logged in as a backend user in the browser you are requesting the web service from.
However, the more common scenario is to call the web service from another client, not in the browser, where you are already logged in to the website backend. When calling the service from an external client you need to obtain a token using valid backend user credentials, and then append this token when calling the web service.
Enable access token validation for your web service route
For this mechanism to work, first you need to plug in to the OWIN Middleware pipeline and register a middleware that will authenticate requests for your web service route, via access token validation.
You need to do that by adding a new OWIN Startup
class. Inside the Configuration
method of your Startup
class, first register the default Sitefinity middleware, by calling the UseSitefinityMiddleware
extension method.
NOTE: Loading the SitefinityMiddleware
first is a prerequisite for Sitefinity CMS to operate properly.
Afterwards, you must branch the pipeline, using the Map
extension method. Map
acts as a filter – it enables you to specify a path and configure a separate middleware for that path. In our case the path is your web service route, and the middleware you must use is IdentityServerBearerTokenAuthentication
. This way, when a request comes in for your web service route, it will be processed by the configured IdentityServerBearerTokenAuthentication
, and the token you have passed with the request can be processed by IdentityServer to validate whether to serve the requested web service method or return an Unauthorized status code. For more information about hooking OWIN Middleware into Sitefinity CMS see this blog post: Hook OWIN Middleware into Sitefinity.
Here’s an example how to implement an OWIN Startup class and map a configured IdentityServerBearerTokenAuthentication
middleware for the two routes used in the DeleTeOrphanedUsersProfile
service from the Implement a web service to delete orphaned user profiles tutorial:
Once you implement the OWIN Startup
class you must register it in your Sitefinity CMS website web.config <appSettings>
section. This way you instruct the OWIN Application that your custom Startup class should be used instead of using the default OWIN Middleware pipeline.
To do that, add the following line in your web.config <appSettings>
section:
If you want to learn more about the mechanism for detecting the OWIN Startup
class, see this Microsoft Documentation article on OWIN and Katana Startup Class Detection.
Configure Identity Server for external authentication, request an access token and use it when calling your web service
Next you must configure the Identity Server, used by Sitefinity CMS to facilitate authentication from external clients. This is necessary, so you can obtain an access token and use that token when making calls to your web service. See the instructions listed in Request a token by a trusted client for detailed steps on how to configure the Sitefinity CMS IdentityServer settings to support external authentication and how to obtain an access token.
Once you obtain a token, use it when making calls to your web service. The sample, provided in the Request a token by a trusted client article demonstrates how to make a service call and pass the token you obtained. The IdentityServerBearerTokenAuthentication
middleware you mapped for your web service route will process the token and validate it. Upon successful validation Sitefinity CMS will process the web service request and return the data.