Pretty similar to this question here the current application that we are working on has a separate MVC 4 and WebApi 2 projects, where the MVC project is processing the user request to the WebApi which actually executes the business logic and then again the MVC is responsible for showing the result to the user. One thing that we can’t figure out yet is how to authorize an user properly on both – the WebApi and MVC. The problem is – when for example, the session is expired we don’t want the request for some resource to be processed back to the WebApi which then will make the check if the user actually is authorized to see this data, what we want to figure out is how to share a common logic for authorization when, say – the user, if his session is expired, is returned to the log on page, but if his status is OK to be processed to the WebApi where again the user could be checked if he has the rights to access some data.
I’ll try to make the question more self-explenatory:
I have solution with two projects – project1 – ASP.NET MVC 4 and project2 WebApi 2 project. The MVC project has more of representational functions and it’s a layer between the user and the place where the actual business logic is implemented (the WebApi). So for example if I go to Products page, this call an action from MVC but here is the tricky part – the user may not be able to enter the Products page at all (session expired for example) in this case I don’t want to proceed with calling the WebApi 2 method which eventually will take care and check if the user is authorazied or not to see this data, but instead in this case I want the MVC action to redirect the user to a LogIn page or something. And the other case – the user is successfully logged in, his session is not expired so the service responsible for fetching the products is called but at this point I want to check what kind of products the user has rights to see. So in both cases I need some sort of authorization, but the first time it should be done in the MVC project and the second time in the WebApi 2 project. And I’m not really sure if this is possible but I’m looking for a way to implement this authorization logic in one place and consume it where I need it instead of implementing something explicitly for the Mvc project and then something pretty much the same for the WebApi 2 project
