OData Security Guidance in ASP.Net Web API


This article explains OData Security Guidance. It gives some security options that we can use when we expose a dataset using ODATA.
It defines the types of security that are as follows:

  • EDM Security
  • Query Security

EDM security

The EDM model depends on the entity model. It is not an implicit type of model. If there is a need for ignoring any property from the EDM, then we use the [IgnoreDataMember] attribute. When we use this attribute the property is not visible in the EDM. Now here we see an example of class "Customer" that has various properties such as "name", "address" and "Contact_no". If we want that the "Contact_no" property is the EDM then we can exclude it by using [IgnoreDataMember].


  1. public class Customer  
  2. {  
  4.         public string Name { getset; }  
  5.         public string Title { getset; }  
  6.         [IgnoreDataMember]  
  7.         public decimal Salary { getset; }  
  8. }  

There is another way to exclude the property from the EDM.

  1. var customer = modelBuilder.EntitySet<Customer>("Employees");  
  2. employees.EntityType.Ignore(cust => cust.Contact_no);  
  3.     }  

In the query security, the query is converted and implemented through an action filter that is the [Queryable] attribute. It is based on the LINQ expression that is found by parsing the Query in the LINQ expression. And again the LINQ expression is parsed into a Query option through the IQueryable LINQ provider that is returned though the OData Controller. And it also depends on the distinct feature of the database.

If you believe your clients or database is small, then the performance of the Query is not an issue. Or as you can use these references:

  • You can check your service with the various queries and profile the Database.

  • We use the page driven paging by modifying it, that ignores the return of an excessive amount of data into one Query. Server driven paging is a technique that prevents the database from sending the limited data in a single response. For enabling it we can set the "PageSize" property with in the [Queryable] attribute.

[Queryable(PageSize = 8)]


  1. public IQueryable<Item> Get()  
  2. {  
  3.     return items.AsQueryable();  
  4. }  


  • There are more applications that enable $top and $skip for the user paging, And it can be prohibited others query option

  • We allow for the $Orderby property for the assemble index. The sorting of the excess amount data is very slow for an index that is not assembled.


  • In the Queryable attribute there is a property "MaxNodeCount". This property is used for fixing the value of counting the maximum nodes in one time in the $filter syntax. But this syntax has 100 as a default value and it is possible, we can set a lower value than the default. The process can be slow with the large value of the node.


  • In the Query option it takes any() and all() as disabled since they are slow.

  • It takes the string function as disabled if there is a string property that has an excess string


  • The property of filtering navigation generates A combined response so its process is slow. This property is considered to be prohibited. For avoiding this property we use the Query validation. We use the [Queryable] attribute. Before starting the execution of the query the attribute approved it. The Method "QueryableAttribute.ValidateQuery", under this method we approved the Query.

  • By creating the validator, we cosidered the $filter as bound that change the database.

OData is created to only be implemented as an OData specification that has the requirement for it target scenerio.

Up Next
    Ebook Download
    View all
    View all