In this Video, I am going to discuss how to implement the Role-Based Basic Authentication in ASP.NET Web API Applications. Please watch our last Video before proceeding to this Video, where we discussed How to implement ASP.NET Web API Basic Authentication with an example. As part of this Video, we are going to discuss the following pointers related to authentication and authorization.
How to implement Role-Based Basic Authentication in ASP.NET Web API?. The Complete ASP.NET Web API Developer Course 2022 [Videos].
- Why do we need Role-Based Authentication?
- How to Implement Role-Based Basic Authentication in Web API?
- Testing the Role-Based Basic Authentication using Postman.
- What are the advantages and disadvantages of using BASIC Authentication in Web API?
Why do we need Role-Based Authentication?
Let us understand this with an example. As shown in the below image, we have three resources i.e. GetAllMaleEmployees, GetAllFemaleEmployees, and GetAllEmployees in our service.
In our application, let say we have two types of Roles i.e. Admin and Superadmin and as per our business requirement,
- Only the users who have the Role Admin can access only to the GetAllMaleEmployees resource.
- The users who have the Role Superadmin can access only the GetAllFemaleEmployees resource.
- The GetAllEmployees resource can be accessed by both the Admin and Superadmin resource.
In order to achieve this, we need to implement Role-Based Authentication in ASP.NET Web API.
Implementing Role-Based Basic Authentication in Web API.
First, create an empty Web API application with the name RoleBasedBasicAuthenticationWEBAPI. Then Add the following User and Employee model to the Models folder
Now we need to add the UserBL and EmployeeBL class file within the Models folder.
Now add one more class file with the name UserValidate and copy and paste the following code.
Now create the BasicAuthenticationAttribute which will implement the AuthorizationFilterAttribute where we will put the logic for role-based basic authentication.
Now we will create our custom Authorize Attribute which will inherit from AuthorizeAttribute where we will implement the logic to return an appropriate response when the Authorization failed.
Lets create a Web API 2 Empty Controller with the name EmployeeController and copy and paste the following code.
Thats it. We have done with our implementation.
Testing Role-Based Basic Authentication in Web API using Postman
If you are new to the postman, I strongly recommended you to watch the following Video, where I discussed how to download and use postman to test rest services.
We need to pass the username and password in the Authorization header. The username and password need to be a colon (:) separated and must be in base64 encoded. To do so, just use the following website
Enter the username and password separated by a colon (:) in the “Encode to Base64 format” textbox, and then click on the “Encode” button as shown in the below diagram which will generate the Base64 encoded value. Let first generate the Base64 encoded string for the user AdminUser as shown in the below image
Once you generated the Base64 encoded string, lets see how to use basic authentication in the header to pass the Base64 encoded value. Here we need to use the Authorization header and the value will be the Base64 encoded string followed the “BASIC” as shown below.
Authorization: BASIC TWFsZVVzZXI6MTIzNDU2
The role Admin has been assigned to the AdminUser. So he can access only the following two resources
But he cannot access the following resource
Let proofs this using the Postman.
Here we got the response 200 OK.
Here we also got the response 200 OK as expected.
As you can see, here we got the response as 403 Forbidden which means the user is authenticated but not authorized to access the above resource. Similarly, you can test the other users.
Advantages and disadvantages of Basic Authentication in Web API.
- Internet standard.
- Supported by all major browsers.
- Relatively simple protocol.
- User credentials are sent in the request.
- Credentials are sent as plaintext.
- Credentials are sent with every request.
- No way to log out, except by ending the browser session.
- Vulnerable to cross-site request forgery (CSRF); requires anti-CSRF measures.