The following are some possible extension points for securing an ASP.NET Web API application.
Implement custom authentication/authorization logic in the following extension points. We can still use the Form Authentication Token to save the credentials in a cookie and set the thread principal.
- Implement and register an IIS IHttpModule (Runs before message handlers, and filters).
- Use Message Handlers run by the ApiController.ExecuteAsync. Implement and register a DelegatingHandler-derived class (Runs before Filters).
- Use Filters such as Authorize[] (method, controller, or global scope). We can derive from AuthorizeAttribute class to implement custom logic.
