Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Ron G 41 posts 137 karma points
    Jun 09, 2015 @ 09:14
    Ron G
    0

    Problem Using Standard ApiController in Umbraco 7

    I'm trying to use the standard /api/ route since our Umbraco backend is IP restricted and we need to create an api endpoint that is accessible from the public.

    I have...

    /App_Start/WebApiConfig.cs

    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }
    }
    

    Then the controller: TestController.cs

    public class TestController : ApiController
    {
        public IEnumerable<string> GetAll()
        {
            List<string> list = new List<string>();
    
            list.Add("value1");
            list.Add("value2");
    
            return list.AsEnumerable();
        }
    }
    

    When I try to access: /api/test/getall

    ... I get the standard Umbraco "Page not found" page.

    Page not found

    No umbraco document matches the url '/page-not-found/?404;http://localhost:61213/api/test/getall'.

    This page can be replaced with a custom 404. Check the documentation for "custom 404".

    This page is intentionally left ugly ;-)

    Tried following the post:

    https://our.umbraco.org/forum/developers/api-questions/61025-Production-issue-How-to-access-API-route-when-~umbraco-is-filtered-by-IP-Address-Domain-Restrictions

    ... but its not working for me.

    Any advice?

  • Benas Brazdziunas 34 posts 155 karma points c-trib
    Jun 11, 2015 @ 22:01
    Benas Brazdziunas
    0

    HI

    O believe you need to add your /api/ to web.config file:

    <add key="umbracoReservedPaths" value="~/umbraco,~/install/,~/bundles/,~/api/" />
    
  • Ron G 41 posts 137 karma points
    Jun 22, 2015 @ 03:34
    Ron G
    0

    So updating the umbracoReservedPaths didn't work. What you need to do is register the Web API routes.

            public class WebApiRouteRegistrarHandler : IApplicationEventHandler
        {
            public void OnApplicationInitialized(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
            {
            }
    
            public void OnApplicationStarting(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
            {
                WebApiConfig.Register(GlobalConfiguration.Configuration);
            }
    
            public void OnApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
            {
            } 
    }
    

    Thanks to Michali for this one!

  • Sebastiaan Janssen 4985 posts 15098 karma points MVP admin hq
    Jun 22, 2015 @ 14:17
    Sebastiaan Janssen
    0

    Is there any reason you don't want to use an UmbracoApiController? It is routed for you automatically (/umbraco/api/ControllerName/Method), publicly accessible and gives you quick access to UmbracoHelper and the Services context. It inherits from ApiController so it's completely default ApiController behavior otherwise, just easy access to Umbraco stuff.

  • Ron G 41 posts 137 karma points
    Jul 22, 2015 @ 21:02
    Ron G
    0

    Hey,

    If we restrict access to the Umbraco admin folder: /umbraco/ ... for security reasons, then the /umbraco/api/ will not be accessible from the public.

  • Sebastiaan Janssen 4985 posts 15098 karma points MVP admin hq
    Jul 23, 2015 @ 07:06
    Sebastiaan Janssen
    0

    Some advise:

    • Consider turning on https for the backoffice so that a man-in-the-middle attack is no longer possible
    • Consider implementing an http module that doesn't do IP filtering for ~/Umbraco/Surface and ~/Umbraco/Api but does filter any other ~/Umbraco paths
    • Consider implementing your own membershipprovider that does IP filtering
    • Consider replacing the login page with your own implementation that only works from behind an IP filter (~/Umbraco/Views/common/dialogs/login.html)
    • On the UsersMembershipProvider set maxInvalidPasswordAttempts to a fairly low number to avoid brute-force attacks
    • Regularly change passwords for backoffice users and make them strong passwords
  • Ron G 41 posts 137 karma points
    Jul 23, 2015 @ 13:08
    Ron G
    0

    Thank you for the advise. Might want to update the wiki:

    If you're particularly security minded, you can restrict access to the /umbraco folder in IIS to just the IP addresses of the company using it and yourself, to prevent unauthorised access to the back end.

    https://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment

    Our client followed this and now will not change this because they consider this a best practice to just IP restrict the /umbraco/ folder.

    And to be far, IP restricting the /umbraco/ folder is the easiest way to restrict access to the admin.

  • Steffen Dam 5 posts 25 karma points
    Jul 23, 2015 @ 13:12
    Steffen Dam
    0

    I just implemented something alike. What I saw, was that you were missing the action on the route entry

    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{action}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }
    }
    
  • Ron G 41 posts 137 karma points
    Jul 23, 2015 @ 15:27
    Ron G
    0

    Interesting... I'll have to give that a try. Looking at the ASP.NET specs, the 'action' is not needed.

    http://www.asp.net/web-api/overview/web-api-routing-and-actions/routing-in-aspnet-web-api

Please Sign in or register to post replies

Write your reply to:

Draft