Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Ron G 41 posts 137 karma points
    Jun 09, 2015 @ 09:14
    Ron G
    0

    Problem Using Standard ApiController in Umbraco 7

    I'm trying to use the standard /api/ route since our Umbraco backend is IP restricted and we need to create an api endpoint that is accessible from the public.

    I have...

    /App_Start/WebApiConfig.cs

    public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
    }
}

    Then the controller: TestController.cs

    public class TestController : ApiController
{
    public IEnumerable<string> GetAll()
    {
        List<string> list = new List<string>();

        list.Add("value1");
        list.Add("value2");

        return list.AsEnumerable();
    }
}

    When I try to access: /api/test/getall

    ... I get the standard Umbraco "Page not found" page.

    Page not found

    No umbraco document matches the url '/page-not-found/?404;http://localhost:61213/api/test/getall'.

    This page can be replaced with a custom 404. Check the documentation for "custom 404".

    This page is intentionally left ugly ;-)

    Tried following the post:

    https://our.umbraco.org/forum/developers/api-questions/61025-Production-issue-How-to-access-API-route-when-~umbraco-is-filtered-by-IP-Address-Domain-Restrictions

    ... but its not working for me.

    Any advice?

    Copy Link
  • Benas Brazdziunas 34 posts 156 karma points c-trib
    Jun 11, 2015 @ 22:01
    Benas Brazdziunas
    0

    HI

    O believe you need to add your /api/ to web.config file:

    <add key="umbracoReservedPaths" value="~/umbraco,~/install/,~/bundles/,~/api/" />
    Copy Link
  • Ron G 41 posts 137 karma points
    Jun 22, 2015 @ 03:34
    Ron G
    0

    So updating the umbracoReservedPaths didn't work. What you need to do is register the Web API routes.

            public class WebApiRouteRegistrarHandler : IApplicationEventHandler
    {
        public void OnApplicationInitialized(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
        {
        }

        public void OnApplicationStarting(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
        {
            WebApiConfig.Register(GlobalConfiguration.Configuration);
        }

        public void OnApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
        {
        } 
}

    Thanks to Michali for this one!

    Copy Link
  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Jun 22, 2015 @ 14:17
    Sebastiaan Janssen
    0

    Is there any reason you don't want to use an UmbracoApiController? It is routed for you automatically (/umbraco/api/ControllerName/Method), publicly accessible and gives you quick access to UmbracoHelper and the Services context. It inherits from ApiController so it's completely default ApiController behavior otherwise, just easy access to Umbraco stuff.

    Copy Link
  • Ron G 41 posts 137 karma points
    Jul 22, 2015 @ 21:02
    Ron G
    0

    Hey,

    If we restrict access to the Umbraco admin folder: /umbraco/ ... for security reasons, then the /umbraco/api/ will not be accessible from the public.

    Copy Link
  • Sebastiaan Janssen 5060 posts 15522 karma points MVP admin hq
    Jul 23, 2015 @ 07:06
    Sebastiaan Janssen
    0

    Some advise:

    • Consider turning on https for the backoffice so that a man-in-the-middle attack is no longer possible
    • Consider implementing an http module that doesn't do IP filtering for ~/Umbraco/Surface and ~/Umbraco/Api but does filter any other ~/Umbraco paths
    • Consider implementing your own membershipprovider that does IP filtering
    • Consider replacing the login page with your own implementation that only works from behind an IP filter (~/Umbraco/Views/common/dialogs/login.html)
    • On the UsersMembershipProvider set maxInvalidPasswordAttempts to a fairly low number to avoid brute-force attacks
    • Regularly change passwords for backoffice users and make them strong passwords
    Copy Link
  • Ron G 41 posts 137 karma points
    Jul 23, 2015 @ 13:08
    Ron G
    0

    Thank you for the advise. Might want to update the wiki:

    If you're particularly security minded, you can restrict access to the /umbraco folder in IIS to just the IP addresses of the company using it and yourself, to prevent unauthorised access to the back end.

    https://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment

    Our client followed this and now will not change this because they consider this a best practice to just IP restrict the /umbraco/ folder.

    And to be far, IP restricting the /umbraco/ folder is the easiest way to restrict access to the admin.

    Copy Link
  • Steffen Dam 5 posts 25 karma points
    Jul 23, 2015 @ 13:12
    Steffen Dam
    0

    I just implemented something alike. What I saw, was that you were missing the action on the route entry

    public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{action}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
    }
}
    Copy Link
  • Ron G 41 posts 137 karma points
    Jul 23, 2015 @ 15:27
    Ron G
    0

    Interesting... I'll have to give that a try. Looking at the ASP.NET specs, the 'action' is not needed.

    http://www.asp.net/web-api/overview/web-api-routing-and-actions/routing-in-aspnet-web-api

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft