Anti Forgery Tokens with AngularJS and ASP.NET Web API

Single Page Applications using AngularJS with ASP.NET will by default leave our web api methods open to forgery abuse. A few simple steps will allow you to add anti forgery protection. Continue reading

Posted in Web API | Tagged , | Leave a comment

Generic wrapper for calling ASP.NET WEB API REST service using HttpClient with optional HMAC authentication

Wanting to implement my business rules in a separate tier running on a different server than the presentation tier I decided that I wanted the business tier to expose its functionality via REST methods using the web api. I then wanted a standard reusable generic way of calling the different controllers so I started on a proof of concept.

Whilst developing the proof of concept I also explored ways of securing the web api calls so that the controllers could not be used indiscriminately. I initially tried using a shared secret in the request headers and then extended this to use HMAC.

In addition to the wrapper for the HttpClient calls to the web api I also needed an ActionFilter to use with the web api controllers to check the shared secret or HMAC code. Continue reading

Posted in Web API | Tagged , , | Leave a comment

Unit Testing an ASP.NET MVC 4 Controller using MS Test, Rhino Mocks, AutoMapper and Dependency Injection

I decided to put together a demo project to showcase unit testing an ASP.NET MVC controller. The MVC controller is part of a much larger n-tier solution that stores data in SQL Server, uses Entity Framework, has a data layer using the Repository and Unit of Work patterns, and a service layer on top, but you will see from the testing that all this complexity is hidden and the front end MVC application could be layered on top of mush as far as the MVC and Test projects are concerned. Continue reading

Posted in Unit Testing | Tagged , , | Leave a comment

ASP.NET MVC3 Using Code First Entity Framework Without Database Generation

Note that this works just as well with MVC4 as it does MVC3.

So, when is Code First not Code First?

It is possible, even recommended, to use ‘code first’ techniques even when you are not generating the database from the code. This is hinted at in the Creating an Entity Framework Data Model for an ASP.NET MVC Application article on Microsoft’s web site ( The code first technique will mean that you are using POCO classes for the models which are persistence ignorant. Continue reading

Posted in Entity Framework | Tagged , | Leave a comment