Implementing a WebApi service using ServicesApiController in Sitecore 8

This will just be a quick post about implementing a WebApi controller in Sitecore 8 using the ServicesApiController class.

Perhaps this post can help some of the teams in the ongoing Sitecore Hackathon, who knows.

The ServicesApiController class

Sitecore.Services introduce a new abstract class called ServicesApiController that derives from the System.Web.ApiController.

The class itself only purpose is to identify an ApiController as being a Sitecore ServicesApiController.

This identification is used by some WebApi filters that is added in the include config file Sitecore.Services.client.config

Deriving a controller from the ServicesApiController class instead of its base System.Web.Http.ApiController ensures that the controller uses these filters and that the security policy which is set for the item web api and entity services also applies for your derived class.

A simple example

As a very very basic example I will make a simple Controller that respond with some hardcoded JSON data and in my next post I will show how to instead respond with data from a custom mongo DB collection.

Now when we have the controller in place we need to register a route to the controller.

We do this by creating a pipeline processor for the initialize pipeline. This is the same concept as I used in my previous post about securing password recovery in Sitecore 8 and the concept is also used by the ListManager and the PathAnalyzer applications in Sitecore 8.

We then patch in this processor in the initialize pipeline using the following configuration include patch.

Now when we try to request the the controller we get the following expected result on our local machine.


But we get a 403 status code (forbidden) when requesting the controller from a remote machine.


This is because of the default security policy for the item web api is set to the ServicesLocalOnlyPolicy policy that only allow requests from localhost through to the services. See the Sitecore.Services.client.config for a description of the different security policies that can be applied to ServicesApiControllers.

What are the benefits of ServicesApiController then?

If we had chosen to derive our Controller directly from the System.Web.Http.ApiController class then none of the filters that is set in config would apply to our Controller and it would be accessible for anyone and exceptions would not be logged in the Sitecore log.

That was it.

In my next post I will show how to get and set data from a mongo db through a ServicesApiController.

Anders Laub Christoffersen

Anders has been working with Sitecore for over a decade and has in this time been the lead developer and architect on several large scale enterprise solutions all around the world. Anders was appointed the title of Sitecore Technical MVP in 2014 and has been re-appointed the title every year since then.

One thought on “Implementing a WebApi service using ServicesApiController in Sitecore 8

Leave a Reply

Your email address will not be published. Required fields are marked *