I have a REST API made with ASP.NET Web API with a controller action for which I want to restrict the access.
Basically, this action would delete the whole database behind my application, that’s why I need to restrict it.
MSDN states I have to modify Web.config to turn on Windows authentication for my whole application:
<system.web> <authentication mode="Windows" /> </system.web>
But I would like to expose my whole API to the internet without any authentication, and only enable the Windows authentication and authorization for this specific controller action.
Is it possible?
Everywhere on the internet I see only examples which would restrict the whole app.