I currently have an MVC application using the default "Individual User Accounts" option for authentication. This works great, I'm able to create users, log in and restrict access to controllers based on user roles.
I have a separate Web API application that currently doesn't use any authentication.
Both applications are hosted on the same IIS server as separate sites. I want to combine the authentication from the MVC application into the Web API application, so after the user has logged into the MVC application, they are also given access to the appropriate controllers in the Web API application, based on user role.
From what I have been reading, I need to set <authentication mode='Forms'>
in web.config
in both applications, and because they are on the same server, the authentication is automatically shared between the two. I've tried adding [Authorize]
to a method in a controller in the Web API application, logged in through the MVC application and tried to access that method, but the method is never entered.
This is what I have been looking at: http://www.bipinjoshi.net/articles/436bc727-6de2-4d11-9762-9ee1a1e3cbea.aspx
What am I missing here? I'm hoping there is someone out there who can point me in the right direction.
You need to be impersonated from your MVC application to the Web Api application with user that has access to the Web api controllers on your Web Api application, for instance with the user that is defined as an identity on the Web Api Application Pool.
Then you can authenticate to the Web Api with Network Credential like the code bellow:
This is example with Windows impersonation. If you want strictly Forms impersonation you can reffer to this link:
Impersonate using Forms Authentication