So I have an existing Windows Phone 7 app that uses my own authorization (player logs in with an alias and password and it verifies it against a db) going to an MVC web services.
Now I'm looking to move over to ASP.NET Web API and I'm a little confused as to how to add security for it?
I see there is the AuthorizeAttribute, but what do I need to do to allow them to be authorized?
Any guidance here would be appreciated.
AuthorizeAttribute is only checking against Thread.CurrentPrincipal to see if the user authorized to access the specified resource (in this case it is controller action) or not. It doesn't provide any type of authentication mechanism.
In your case, as you have username and password in place, you can do basic authentication. Best place to do this is inside a Message Handler. Here is an example: BasicAuthenticationHandler
I don't encourage you to use this as it is because there is no test behind this implementation but this should give you an idea. That class is an abstract class and when you set this as you base class for a message handler, you need to override the AuthenticateUser method and return IPrincipal. If the return value is null, that means user is not authenticated. If you provide an IPrincipal, that IPrincipal will be set and your AuthorizeAttribute can check against it.
You can, for instance, use GenericPrincipal class to create an IPrincipal. Assuming you are on ASP.NET host, you can register your authentication handler as below:
GlobalConfiguration.Configuration.MessageHandlers.Add(new MyAuthHandler());
To sum it up, do the authentication through a Message Handler somehow, no matter what type of authentication you use (Basic Auth, OAuth, etc.). And then, do the authorization through AuthorizeAttribute.
Also, Dominick Baier has a nice presentation on Securing ASP.NET Web APIs and I recommend you to check that out.
maybe this will help you: Custom AuthorizeAttribute for Web API controllers
