In case your custom web service works with sensitive data it’s best to protect it and have the service methods execute only for authenticated users. To achieve that you must first implement the logic to protect your web service methods, and then use Sitefinity CMS Identity Server to authenticate and authorize requests to your service.
The Sitefinity CMS API exposes an easy mechanism for securing your web service methods. You can call the RequestBackendUserAuthentication method of the ServiceUtility class, inside your web service logic. For example, this is how to secure the web service we demonstrated in the Implement a web service to delete orphaned user profiles tutorial:
RequestBackendUserAuthentication
ServiceUtility
This way, when Sitefinity CMS handles requests to your web service route, it will serve the request only for authenticated backend users. Otherwise Sitefinity CMS returns a status code 403 – Unauthorized.
Once you secure your web service using the above described mechanism, Sitefinity CMS serves the requests to the protected methods only if you are logged in as a backend user in the browser you are requesting the web service from.
However, the more common scenario is to call the web service from another client, not in the browser, where you are already logged in to the website backend. When calling the service from an external client you need to obtain a token using valid backend user credentials, and then append this token when calling the web service.
To create a request for access token, use procedure Request access token to call a web service with OAuth2.
Next you must configure the Identity Server, used by Sitefinity CMS to facilitate authentication from external clients. This is necessary, so you can obtain an access token and use that token when making calls to your web service. See the instructions listed in Request a token by a trusted client for detailed steps on how to configure the Sitefinity CMS IdentityServer settings to support external authentication and how to obtain an access token.
Once you obtain a token, use it when making calls to your web service. The sample, provided in the Request a token by a trusted client article demonstrates how to make a service call and pass the token you obtained. The IdentityServerBearerTokenAuthentication middleware you mapped for your web service route will process the token and validate it. Upon successful validation Sitefinity CMS will process the web service request and return the data.
IdentityServerBearerTokenAuthentication
Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.
This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.
This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.
To submit feedback, please update your cookie settings and allow the usage of Functional cookies.
Your feedback about this content is important