authorization

I've read about oAuth, Amazon REST API, HTTP Basic/Digest and so on but can't get it all into "single piece". This is probably the closest situation - Creating an API for mobile applications - Authentication and Authorization I would like to built API-centric website - service. So (in the beginning) I would have an API in center and website (PHP + MySQL) would connect via cURL , Android and iPhone via their network interfaces. So 3 main clients - 3 API keys. And any other developer could also develop via API interface and they would get their own API key. API actions would be accepted/rejected

I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok. The problem is that not all of the request can be authorised in the scope of an attribute - some authorisation checks have to be performed in code that is called by controller methods - what is the correct way to return a 401 unauthorised response in this case? I have tried throw new HttpException(401, "Unauthorized access"); , but when I do this the response status code is 500 and I get also get a stack trace. Even

How do I achieve authorization with MVC asp.net? Use the Authorize attribute [Authorize] public ActionResult MyAction() { //stuff } You can also use this on the controller. Can pass in users or roles too. If you want something with a little more control, you could try something like this . public class CustomAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { string[] users = Users.Split(','); if (!httpContext.User.Identity.IsAuthenticated) return false; if (users.Length > 0 && !users.Contains(httpContext.User.Identity.Name,

Is it possible to access post or get parameters via the HttpActionContext object? I have a set of sensors that loggs data to a web server that provides a REST api. I would like to introduce some sort of authentication/authorization by letting the sensors include their hardware id in the data and then make a lookup in a database to see if the id exists or not. Since the API provides many web api action methods I would ideally like to use a custom authorization attribute public class ApiAuthorizationFilter : AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext

I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.* Do you have any hints how to do it? What I'm not looking for is how to exclude a file. This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite to index.php ). So there is no file under this URL. Nothing. Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password. Current definition is as simple as: