ASP.NET Web API Framework and Security Rules - 1.4

Extension ID


What’s new?

See: ASP.NET Web API Framework and Security Rules - 1.4 - Release Notes  for more information.


This extension provides support for ASP.NET Web API. This extension will create links between server side APIs and client calls for HttpGet, httpPut, HttpPost, and HttpDelete methods.

In what situation should you install this extension?

CAST recommends that this extension is installed whenever you are analyzing a .NET application. When using CAST AIP Console, the extension is automatically installed whenever a .NET application is delivered.

ASP.NET Web API support

The following frameworks are supported by this extension:

Version Supported
Web API 2 ✔️
ASP.NET Core Web API ✔️
OData server side ✔️

Files analyzed

Icons File Extension Note


C# *.cs

.NET Razor *.cshtml

VB.NET *.vb


JSON *.json, *.jsonld

ASPX *.aspx


XML *.xml
- Configuration web.config, appsettings.json This extension broadcasts an XML parser for others extensions to analyze web.config files.

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points (transactions) Quality and Sizing
✔️ ✔️


This extension is compatible with:

CAST Imaging Core release Supported Languages
8.3.x ✔️ C#

Download and installation instructions

A specific version of the ASP.NET Web API Framework extension is shipped with AIP Core. However, this release may not be the release you want to use, therefore you should check before beginning the analysis that the correct extension release is being used.

If you need to change the release use the Included interface in AIP Console:

CAST Transaction Configuration Center (TCC) configuration

If you are using the extension with CAST AIP ≥ 8.3.x, a set of ASP.NET WebAPI specific items are now automatically imported when the extension is installed. These items will be available in the CAST Transaction Configuration Center (click to enlarge):

Packaging, delivering and analyzing your source code

By default, (i.e. out of the box without the ASP.NET Web API extension installed) ASP.NET Web API object types are automatically “captured” by a default configuration provided by the HTML5/JavaScript extension (“Standard Entry Point - HTML5 AspDotNet”). After installation of the ASP.NET WebAPI extension you will find that the “Standard Entry Point - HTML5 AspDotNet” set no longer captures any objects. Instead the ASP.NET objects will be captured by the “Standard Entry Point - Dotnet AspDotNet” set provided in the ASP.NET WebAPI extension.

Therefore you need to update TCC configuration if you are using the “Standard Entry Point - HTML5 AspDotNet” configuration in your sets and layers.

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner. The following objects and links will be displayed in CAST Enlighten:


All objects are represented under the Class browser folders in CAST Enlighten:

Icon Description

DotNet Get Operation

DotNet Delete Operation

DotNet Post Operation

DotNet Put Operation

DotNet Patch Operation

DotNet Any Operation

DotNet Controller Action

A DotNet Controller Action is created for each controller method, and a call link is created from this action to the method:

These controller actions may be directly called from clients through HTML5 Razor method calls present in cshtml files:

     @Html.ActionLink("Details", "Details", new { id = item.DepartmentID })

One or more DotNet operations are created for one DotNet Controller Action, because the DotNet Server may be called by other clients than Razor clients. From HTML files or sections of HTML in .cshtml files:

<div href="Department/Details">

Controller actions are therefore always present in transactions, but operations are present only for purely HTMLclients (not clients using razor). As the same controller action may be called for several types of HTML5 resource services, and even several types of  URLs (e.g: department/details, department/details/{}, …), operations which are not called from a client are deleted at the end of analysis. In many cases clients are written in razor, as such it would not be a ideal to keep all operations as it would produce false transactions.

ASHX/ASMX support


In ashx/asmx file:

<%@ WebHandler Language="C#" class="PREFIX.TaxServerInfo" %>

In IISHandler1.vb:

Imports System.Web
Public Class IISHandler1
    Implements IHttpHandler

    Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest

        ' Write your handler implementation here.

    End Sub
End Class

Will create an operation:


In asmx file:

<%@ WebService Language="vb" CodeBehind="WebService1.asmx.vb" class="WebApplication1.WebService1" %>

In vb file:

Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.ComponentModel

' To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
' <System.Web.Script.Services.ScriptService()> _
<System.Web.Services.WebService(Namespace:="")> _
<System.Web.Services.WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
<ToolboxItem(False)> _
Public Class WebService1
    Inherits System.Web.Services.WebService

    <WebMethod()> _
    Public Function HelloWorld() As String
       Return "Hello World"
    End Function

End Class

Will create an operation for each WebMethod annotated methods:

OData server side support

Controller actions and DotNet operations will be created from each ODataController method following OData naming conventions. The naming of each Controller action will keep the same standard. The naming of the DotNet operations will concatenate the OData service route prefix and the OData path. The odata route prefix is set during the registration of the OData service.The OData path is defined by convention or by attributes in the ODataController.

OData v8 routing prefix in ASP.NET Core Web API

The OData services is added by calling the AddOData method. The AddRouteComponents method is used to register a route, passing along the Edm model to associate it with.

// Program.cs
using Lab01.Models;
using Microsoft.AspNetCore.OData;
using Microsoft.OData.ModelBuilder;
var builder = WebApplication.CreateBuilder(args);
var modelBuilder = new ODataConventionModelBuilder();
    options => options.Select().Filter().OrderBy().Expand().Count().SetMaxTop(null).AddRouteComponents(
var app = builder.Build();
app.UseEndpoints(endpoints => endpoints.MapControllers());

In this example the odata route prefix is odata2.

OData v7 routing prefix in ASP.NET Core

The OData services is added by calling the UseMvc method. The MapODataServiceRoutemethod is used to register a route, passing along the Edm model to associate it with.

public void ConfigureServices(IServiceCollection services)
public void Configure(IApplicationBuilder app)
    var builder = new ODataConventionModelBuilder(app.ApplicationServices);
    app.UseMvc(routeBuilder =>
        // and this line to enable OData query option, for example $filter
        routeBuilder.MapODataServiceRoute("ODataRoute", "odata3", builder.GetEdmModel());
        // uncomment the following line to Work-around for #1175 in beta1
        // routeBuilder.EnableDependencyInjection();

In this example the odata route prefix is odata3.

OData routing prefix in ASP.NET Web API

The OData services is added by calling the MapODataServiceRoute method to register a route, passing along the Edm model to associate it with.

public static class WebApiConfig
    public static void Register(HttpConfiguration config)
        var builder = new ODataConventionModelBuilder();
        config.MapODataServiceRoute("ODataRoute", "odata1", model);

In this example the odata route prefix is odata1.

OData paths

CRUD operations routing
Request Example URI Action Name Example Action Cast Operation name Cast Operation type
GET /entityset odata/Products GetEntitySet or Get GetProducts odata/products CAST_DotNet_GetOperation
GET /entityset(key) odata/Products(1) GetEntitySet or Get GetProduct(int key) odata/products/{} CAST_DotNet_GetOperation
GET /entityset/cast odata/Products/Models.Book GetControllerNameFromEntityType or GetFromEntityType GetProductsFromBook() or GetFromBook() odata/products/ CAST_DotNet_GetOperation
GET /entityset(key)/cast odata/Products(1)/Models.Book GetEntityType GetBook(int key) odata/products/{}/ CAST_DotNet_GetOperation
POST /entityset odata/Products PostEntitySet or Post PostProduct(Product prod) odata/products CAST_DotNet_PostOperation
POST /entityset/cast odata/Products/Models.Book PostFromEntityType or PostEntitySetFromEntityType PostFromBook(Book book) or PostProductFromBook(Book book) odata/products/ CAST_DotNet_PostOperation
PUT /entityset(key) odata/Products(1) PutEntityType or Put PutProduct(int key, Product prod) odata/products/{} CAST_DotNet_PutOperation
PUT /entityset(key)/cast odata/Products(1)/Models.Book PutEntityType or Put PutBook(int key, Book book) odata/products/{}/ CAST_DotNet_PutOperation
PATCH /entityset(key) /Products(1) PatchEntitySet or Patch PatchProduct(int key, Product prod) odata/products/{} CAST_DotNet_PatchOperation
PATCH /entityset(key)/cast /Products(1)/Models.Book PatchEntityType or Patch PatchBook(int key, Book book) odata/products/{}/ CAST_DotNet_PatchOperation
DELETE /entityset(key) /Products(1) DeleteEntitySet or Delete DeleteProduct(int key) odata/products/{} CAST_DotNet_DeleteOperation
DELETE /entityset(key)/cast /Products(1)/Models.Book DeleteEntityType or Delete DeleteBook(int key) odata/products/{}/ CAST_DotNet_DeleteOperation
OData navigation property routing
Request Example URI Action Name Example Action Cast Operation expected name Cast Operation type
GET /entityset(key)/navigation odata/Products(1)/Supplier GetProperty or GetPropertyFromEntitySet GetSupplier(int key) or GetSupplierFromProduct(int key) odata/products/{}/supplier CAST_DotNet_GetOperation
GET /entityset(key)/cast/navigation odata/Products(1)/Models.Book/Author GetProperty or GetPropertyFromEntityType GetAuthor(int key) or GetAuthorFromBook(int key) odata/products/{}/ CAST_DotNet_GetOperation
POST /entityset(key)/navigation odata/Customers(1)/Orders PostToProperty or PostToPropertyFromEntitySet PostToOrdersFromCustomer(int key) or PostToOrders(int key) odata/customers/{}/orders CAST_DotNet_PostOperation
POST /entityset(key)/cast/navigation odata/Customers(1)/Models.Vip/Orders PostToPropertyFromEntityType PostToOrdersFromVip(int key) odata/customers/{}/ CAST_DotNet_PostOperation
PUT /entityset(key)/navigation odata/Customers(1)/Friend PutToProperty or PutToPropertyFromEntitySet PutToFriend(int key) or PutToFriendFromCustomer(int key) odata/customers/{}/friend CAST_DotNet_PutOperation
PUT /entityset(key)/cast/navigation odata/Customers(1)/Models.Vip/Friend PutToPropertyFromEntityType PutToFriendFromVip(int key) odata/customers/{}/ CAST_DotNet_PutOperation
PATCH /entityset(key)/navigation /Customers(1)/Friend PatchToProperty or PatchToPropertyFromEntitySet PatchToFriend(int key) or PatchToFriendFromCustomer(int key) odata/customers/{}/friend CAST_DotNet_PatchOperation
PATCH /entityset(key)/cast/navigation /Customers(1)/Models.Vip/Friend PatchToProperty or PatchToPropertyFromEntitySet PatchToFriendFromVip(int key) odata/customers/{}/ CAST_DotNet_PatchOperation
Attribute routing

Attribute routing is enabled in OData but several syntaxes exist depending on the version exist:

  • Use ODataRouteAttribute(“routepath”) for OData version 7.x or 6.x;
  • Use Http[verb]Attribute(“routepath”) for OData version 8.x;
  • Use RouteAttribute(“routepath”) with Http[verb]Attribute

We create links between controller action and DotNet operations. When used with the extension com.castsoftware.dotnet.odata we also create links towards web services.


These functionalities are not supported:

  • OData functions
  • OData actions
  • Query options


Release Link


  • URLs present in annotations, which are in a variable, are not supported.