I have previously written about how easy it to implement Web API controllers in Sitecore. However since Sitecore adds a lot of global filters for authorization and security policies – e.g. see
sitecore/api/configuration/filters section in
Sitecore.Services.Client.config. You might want to disable these filters, as they can interfere when building a public accessible API – see gist below. During a debugging session I noticed that a filter from some FXM assembly were also added.
To be fair, most of Sitecore’s implementations of
IFilter/ActionFilterAttribute that are assigned globally on
HttpConfiguration, does check for presence of
ServicesControllerAttribute and inheritance of
ServicesApiController. This means you might prevent these filters from doing anything by using
System.Web.Http.ApiController as base class for your controllers. I haven’t been though the code for all Sitecore’s filters, so I’m playing it safe, and decorate my ApiControllers with a
I encourage the developers of Sitecore to consider using controller-specific configuration instead of loading the global
HttpConfiguration with all kinds of module or feature specific stuff.