I would like to demonstrate how to create Sitecore WebAPI based custom service and utilize native Sitecore/.NET security mechanism. The ServicesApiController is part of Sitecore.Services.Infrastructure.dll and it implements .NET ApiController. Usage of ServicesApiController ensures continuation of Sitecore global item security policies and individual filters that can have individual requirements. My goal is to create stateless WebAPI based service in Sitecore with authentication and authorization against Sitecore Security.

Project Configuration

  • Create custom controller
using System.Web.Http;
using Sitecore;
using Sitecore.Services.Core;
using Sitecore.Services.Infrastructure.Web.Http;

namespace WebApiTest.controllers
{
    [ServicesController]
    public class TestController : ServicesApiController
    {
        [AuthorizedUser(@"sitecore\ServicesAPI")]
        [HttpGet]
        [Route("service/package/test")]
        public string Test(string d)
        {
            var context = Context.User;

            return string.Format(@"User: {0}; IsAuthenticated: {1}", context.Name, context.IsAuthenticated);
        }
    }
}
  • Custom Authentication/Authorization Filter (Known issue:  IsAuthenticated set to false for stateless auth, please click here for more details)
using System.Net;
using System.Net.Http;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;
using Sitecore;

namespace WebApiTest
{
    public class AuthorizedUser : AuthorizationFilterAttribute
    {
        private readonly string _user;

        public AuthorizedUser(string user)
        {
            _user = user;
        }
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            base.OnAuthorization(actionContext);
            var context = Context.User;

            if ((context.IsAuthenticated && context.Name.Equals(_user)))
                return;

            actionContext.Response =
                actionContext.ControllerContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized,
                    "Unauthorized Access; User is " + Context.User.LocalName);
        }
    }
}
  • Custom patch  config File (App_Config/include/zzzzz_WeAPITest.config)
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <settings>
      
      <setting name="Sitecore.Services.AllowAnonymousUser">
        <patch:attribute name="value">false</patch:attribute>
      </setting>
      
      <setting name="Sitecore.Services.Token.Authorization.Enabled">
        <patch:attribute name="value">true</patch:attribute>
      </setting>

      <setting name="Sitecore.Services.SecurityPolicy">
        <patch:attribute name="value">Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy, Sitecore.Services.Infrastructure</patch:attribute>
      </setting>

    </settings>
    <api>
      
      <tokenSecurity>
        <signingProvider type="Sitecore.Services.Infrastructure.Sitecore.Security.SymetricKeySigningProvider, Sitecore.Services.Infrastructure.Sitecore">
          <param desc="connectionStringName">Sitecore.Services.Token.SecurityKey</param>
        </signingProvider>
      </tokenSecurity>
      
      
      <services>
        <configuration type="Sitecore.Services.Infrastructure.Configuration.ServicesConfiguration, Sitecore.Services.Infrastructure">
          <allowedControllers hint="list:AddController">
            <allowedController desc="TestController">WebApiTest.controllers.TestController, WebApiTest</allowedController>
          </allowedControllers>
        </configuration>
      </services>

    </api>  
     </sitecore>
</configuration>

 

  • Update to App_Config/ConnectionStrings.config file (please do not use default token)
    <add name="Sitecore.Services.Token.SecurityKey" connectionString="key=GHUwnYMxb75Td25yqyVdQQ8QQ8RzBG6T"/>

Testing with Postman

  • make a call to https://HOST/sitecore/api/ssc/auth/login
  • get token form response

request/response:

  • compile request to custom endpoint