How to integrate Visual Guard in Web API

How to integrate and refer Visual Guard Assembly Reference in your WEB API application

Note
To integrate Visual Guard in your WEB API Application project, kindly refer How to integrate Visual Guard in your MVC application to give assembly reference and configure web.config.

Securing Controller/Action

Alike, Authorize attribute to authorize request for defined Roles and Users, Visual Guard supports restrics access by Permissions to an action method. For any given controller action, you can decorate with VGAuthorize attribute mentioning Roles, Users and Permissions. If an unauthorize user tries to access controller or action that is marked as VGAuthorize attribute, it will return UnAuthorize status code.

Using VGAuthorize attribute

When you mark an action method with VGAuthorize attribute, access to that action is restricted based on Permissions, Users and Roles defined. If you mark a controller with VGAuthorize, all actions methods are restricted.

There are 3 properties to be defined in VGAuthorize attribute, those are Roles, Permissions and Users. You can write multiple values seperated by a comma. Considering below example, ProductionController can't be accessed if logged in user doesn't have Role "Admin". Action method "GetAllProducts" can't be accessed if loggedin user doesn't have permission "CanGetAllRoles" and Role "RoleManager". Lastly, action method "GetProductById' can't be accessed if permissions "ReadOnly" and "CanGetById" are not assigned to loggedin user.

Example:

1) Attribute: [VGAuthorize(Roles = Admin)]

Description: Only the loggedin user with Admin role can access.

2) Attribute: [VGAuthorize(Permissions = CanGetAllRoles, Roles = RoleManager)]

Description: Only the loggedin user with Permission CanGetAllRoles and Role RoleManager can access.

3) Attribute: [VGAuthorize(Permissions = ReadOnly)] Attribute: [VGAuthorize(Permissions = CanGetById)]

Description: Only the logged in user with permissions "ReadOnly" and "CanGetById" can access.

Note
While mentioning the permission in the 'VGAuthorize' attribute, please take the full name of the permission (along with full path). Example: "ReadOnly" permission exist in folder "Auditors", hence, full name of the permission is : "/Auditors/ReadOnly"

Note

While mentioning the permission in the 'VGAuthorize' attribute, please take the full name of the permission (along with full path).

Example: "ReadOnly" permission exist in folder "Auditors", hence, full name of the permission is : "/Auditors/ReadOnly"

The following example demonstrates how to authorize a logged in user. This code can be inserted as an attribute on a controller or an action method:

Copy

 [VGAuthorize(Roles = "Admin")]
 public class ProductionController : ApiController
 {
     Product[] products = new Product[]
     {
     new Product { Id = 1, Name = "Tomato Soup", Category = "Groceries", Price = 1 },
     new Product { Id = 2, Name = "Yo-yo", Category = "Toys", Price = 3.75M },
     new Product { Id = 3, Name = "Hammer", Category = "Hardware", Price = 16.99M }
     };

     [VGAuthorize(Permissions = "CanGetAllRoles", Roles = "RoleManager")]
     public IEnumerable<Product> GetAllProducts()
     {
         return products;
     }

     [VGAuthorize(Permissions = "ReadOnly")]
     [VGAuthorize(Permissions = "CanGetById")]
     public Product GetProductById(int id)
     {
         var product = products.FirstOrDefault((p) => p.Id == id);
         if (product == null)
         {
             throw new HttpResponseException(HttpStatusCode.NotFound);
         }
         return product;
     }
}

VB.Net

Copy

[VB.NET]
<VGAuthorize(Roles:="Admin")> _
Public Class ProductionController
    Inherits ApiController
    Private products As Product() = New Product() {New Product() With { _
        .Id = 1, _
        .Name = "Tomato Soup", _
        .Category = "Groceries", _
        .Price = 1 _
    }, New Product() With { _
        .Id = 2, _
        .Name = "Yo-yo", _
        .Category = "Toys", _
        .Price = 3.75D _
    }, New Product() With { _
        .Id = 3, _
        .Name = "Hammer", _
        .Category = "Hardware", _
        .Price = 16.99D _
    }}

    <VGAuthorize(Permissions:="CanGetAllRoles", Roles:="RoleManager")> _
    Public Function GetAllProducts() As IEnumerable(Of Product)
        Return products
    End Function

    <VGAuthorize(Permissions:="ReadOnly")>
    <VGAuthorize(Permissions:="CanGetById")> _
    Public Function GetProductById(id As Integer) As Product
        Dim product = products.FirstOrDefault(Function(p) p.Id = id)
        If product Is Nothing Then
            Throw New HttpResponseException(HttpStatusCode.NotFound)
        End If
        Return product
    End Function 
End Class

Other Resources

Debugging Visual Guard Security Actions

How to apply security in your application

How Visual Guard secures an application

How to generate or edit the Visual Guard configuration files

How to integrate Visual Guard in WinForm applications

How to integrate Visual Guard in WPF applications

How to integrate Visual Guard in ASP.net applications

How to integrate Visual Guard in MVC applications

How to integrate Visual Guard in WCF applications

How to integrate Visual Guard in WCF/Silverlight services