FormAuthentication with WebAPI using Breeze

4
votes

I am protecting WebAPI using forms Authentication, that is using Breezecontroller When i try to call WebAPi method i am getting back the following error.

status:404 statusText: "Not Found" message:"MetaData query failed for:'';, No Http resource was found tha matches...

My question is why am i not getting back "UnAuthorized error(401)" ? metadata is decorated with [Authorize] as well.

Seems like FormsAuthentication's redirect is giving problem. It is redirecting to Login(has AllowAnonymous) WebApi method and reports it cannot find, eventhough i have. Also i am applying the Authrozie to the methods instead of controller. the exact error is 

  {"$id":"1","$type":"System.Web.Http.HttpError,System.Web.Http","Message":"NoHTTPresourcewasfoundthatmatchestherequestURI'http://localhost:40678/api/Country/Login?ReturnUrl=/api/Country/Metadata'.","MessageDetail":"Noactionwasfoundonthecontroller'Country'thatmatchestherequest."}
2
breeze

2 Answers

3
votes

Just tried and working fine. I'm betting you have a mistake in your URL.

Here is the prelim to my controller:

[Authorize]
[BreezeController]
public class BreezeTodoController : ApiController
{
    private readonly BreezeTodoContext _context;

    public BreezeTodoController() {
        _context = new BreezeTodoContext(User);
    }

    [HttpGet]
    public string Metadata() {
        return _context.Metadata();
    }
    // ... more

I hit it with this URL

http://localhost:32377/api/breezetodox/metadata

And I get back the 401

Request URL:http://localhost:32377/api/breezetodo/metadata
Request Method:GET
Status Code:401 Unauthorized

But if I make a mistake in the URL (see 'x' after breezetodo)

Request URL:http://localhost:32377/api/breezetodox/metadata
Request Method:GET
Status Code:404 Not Found

Same thing if my action name doesn't match (see 'x' after metadata):

Request URL:http://localhost:32377/api/breezetodo/metadatax
Request Method:GET
Status Code:404 Not Found

In other words, HTTP can't report that a resource is unauthorized if it can't find that resource in the first place.

0
votes

when tagging the BreezeController with [Authorize] and then trying to retrieve the Breeze Metadata directly with this link:

Request URL:http://localhost/breeze/breeze/metadata

redirects to:

http://localhost/Login?ReturnUrl=%2Fbreeze%2Fbreeze%2Fmetadata with a 404

Without the [Authorize] the access to the Breeze metadata with the same link works fine.