Security options and scope in Web API

You might have gone through various articles on Web API security levels and options. This article is intend to give you a straight & short overview on it rather holding you for much times.

Well, Web API can be secured by implementing security inside Action-Filters / Message handlers. Thus, we have following places to write/implement our security-

1.       Authentication Filters

2.       Authorization Filters

3.       Action Filters

4.       Message Handlers

Apart from these internal implementations, we can also take the benefit of-

5.       HOST level security

Web API pipeline is a great mechanism which lets developers to extend the behaviour.  A request is get processed by actual method only after crossing certain level of predefined stages. ex. – Handlers & Filters. It enables us to implement our security at granular level (at any level, even at method level : ).

Below image illustrate the same- Web API Security levels and types

(pic: Web API 2.0 Security Levels)

Thus, we have many options to implement the security at many levels. We can set globally as well as upto method/function level. 

Let’s explore hosting level security options.  Earlier we had only IIS host but now a days technology has evolve much and giving us more options to host our applications. OWIN host is one of the leading approach to break down the IIS barrier. Below are the approaches for security implementations in these duos (IIS & Owin)-

1.       OWIN Middleware          – if using OWIN hosting

2.       Http Modules                  – if using IIS hosting

Simplifying the things give us the following picture to know these security options-

Web API Security options - OWIN middleware

You may also refer this article - Understanding Web API