The Web API Request's Journey


ASP.Net Web API Flow

ASP.NET Web API is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. ASP.NET Web API is an ideal platform for building RESTful applications on the .NET Framework. So HTTP is not just for serving up web pages. It is also a powerful platform for building APIs that expose services and data.

Hosting Web API

Web API can be hosted either on ASP.NET or you could write a Console App or a Windows Service yourself to self-host. Web API’s flexibility starts right at the core as to where it can be hosted.

·         ASP.NET Hosting: When hosted on ASP.NET, the lifecycle starts with the HttpControllerHandler which is an implementation of IHttpAsyncHandler and is responsible for passing requests into the HttpServer pipeline.

·         Self Hosting: When you are Self Hosting, the HttpServer pipeline starts at the HttpSelfHostServer which is an implementation of HttpServer and directly listens to HTTP requests.

Here is the code snippet for self-hosting Web API.

using System.Web.Http;
using System.Web.Http.SelfHost;     

var config = new HttpSelfHostConfiguration("http://localhost:8080");

config.Routes.MapHttpRoute(
    "API Default", "api/{controller}/{id}",
    new { id = RouteParameter.Optional });

using (HttpSelfHostServer server = new HttpSelfHostServer(config))
{
    server.OpenAsync().Wait();
    Console.WriteLine("Press Enter to quit.");
    Console.ReadLine();
}


HTTP Message Handlers

Once a request leaves your Service host, it travels as an HttpRequestMessage object in the pipeline. The next stage in the flow is the Message Handlers.

Delegating Handler

Delegating handlers are an extensibility point in the message flow allowing you to massage the Request before passing it on to the rest of the Web API flow. The response message on its way back has to pass through the Delegating Handler as well, so any response can also be monitored/filtered/updated at this extensibility point. Delegating Handlers if required can bypass the rest of the flow too and send back and Http Response themselves.

Routing Dispatcher
If the request makes it through the option Delegation handlers, it reaches the Routing Dispatcher next. The dispatcher checks if the Route Handler is null. If it is null, it proceeds to the next step in the flow.
However if it’s not null, it implies there are one or more per-route message handlers in place and the request is passed on to the Handlers. Here it loops through the available handlers and picks the one matching the request, the request is then handled. Remember, you can have a delegation handler in your Route Handler, so you can bypass the rest of the flow even at this point.

Controllers

The request enters the Controllers when the routing handlers pass the request to the next stage.
Authorization Filters
Authorization Filters  is the first step in the Controllers section. If there are Authorization Filters present and the request fails Authorization, the Auth filter truncates the request and sends back an Auth Failure response directly.

Model Binding
After successful authorization, the request proceeds into the Model Binding section. This is not a single step. First we look at the following three parts of HTTP Request:

·         URI Binding
The URI goes through the ModelBinderParameterBinding object which checks further if there is custom IModelBinder or IValueProvider. The final outcome is a Simple Type.

·         Formatter Binding
The Entity Body is managed through the FormatterParameterBinding. We can plug in custom Media Type Formatters and if the request needs one of these two is utilized it is piped through the appropriate Media Type Formatter before it gets converted to the required Complext Type.

·         Http Parameter Binding
If we have a custom HttpParameter binding module the entire request is piped through it instead and the final output could be any type spit out by the custom Http Parameter Binder.

Action Filters
After Model Binding is complete, the flow proceeds to the Action Filters. Action filters are actually invoked twice, before and after the controller Action.

Action Invoker
The Action Invoker invokes the Controller Action using the binding and model state in the HttpActionContext.The Action Invoker finally invokes the Controller action and the return journey of the Message in form of HttpResponseMessage begins from here. In case there is an exception while invoking the Action, the exception is routed to the Exception Filters which can send back appropriate Error Response.

Controller Action
The controller action executes the code in the Action method and returns from the Action Method. Depending on what it returns, the Result Conversion piece kicks in and prepares the HttpResponseMessage.

Result Conversion
The outcome of the Action method can be of three types

  • An HttpResponseMessage – In this case, there is nothing to convert and the message is directly passed through and is on its way back in the pipeline.
  • A void – If the outcome of the Action Method is a void, it is actually converted into an HttpResponseMessage with status 204 implying – No Content.
  • If any other Types are returned by the Action method, Content Negotiation and Media Type Formatters kick in. The content negotiator checks to see if we can return the requested content, picks up the appropriate Media Type Formatter, churns the return data through it, to get an appropriate HttpResponseMessage out.


Once we have the required HttpResponseMessage, it begins its journey back through the components of the pipeline it traversed originally.

So that's the  Web API Request's Journey. :-)

Comments

Post a Comment

Popular posts from this blog

Data Bound Controls in ASP.Net - Part 4 (FormView and DetailsView controls)

FormView The FormView control is used to display a single record from a data source. It is similar to the DetailsView control, except it displays user-defined templates instead of row fields. Creating your own templates gives you greater flexibility in controlling how the data is displayed. The FormView control supports the following features: ·          Binding to data source controls, such as SqlDataSource and ObjectDataSource. ·          Built-in inserting, updating and deleting capabilities. ·          Built-in paging capabilities. ·          Programmatic access to the FormView object model to dynamically set properties, handle events, and so on. ·          Customizable appearance through user-defined templates, themes, and styles. Templates For the FormView control to display content, you need to create templates for the different parts of the control. Most templates are optional; however, you must create a template for the mode in which the control is configur
Read more

ASP.net: HttpHandlers

Image
HTTPHandlers: ASP.NET handles all the HTTP requests coming from the user and generates the appropriate response for it. ASP.NET framework knows how to process different kind of requests based on extension. For example, it can handle request for .aspx , .ascx and .txt files, etc. When it receives any request, it checks the extension to see if it can handle that request and performs some predefined steps to serve that request. ASP.NET provides a low-level request/response API that enables developers to use .NET Framework classes to service incoming HTTP requests.So as a developer, One might want to handle some new kind of requests such as requests for .jpg or .gif. ASP.NET provides HTTPHandler to handle requests for .jpg or .gif. An ASP.NET HTTP handler is the process or endpoint that runs in response to a request made to an ASP.NET Web application. The most common handler is an ASP.NET page handler that processes .aspx files. When users request an .aspx file, the requ
Read more

The Clickjacking attack and X-Frame-Options

Clickjacking  Clickjacking is a type of “web framing” or “UI redressing” attack. What that simply means in practice is that: 1. A user (victim) is shown an innocuous, but enticing web page (think watch online video) 2. Another web page (that generally does something important – think add friends on social network) is layered on top of the first page and set to be transparent 3. When the user thinks they are clicking on the web page they see (video), they are actually clicking on the higher layered (framed) page that is transparent There are two main ways to prevent clickjacking: 1.     Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains 2.     Employing defensive code in the UI to ensure that the current frame is the most top level window Using X-Frame-Options X-Frame-Options  originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more
Read more