Why convert WCF REST services anyway?
First: WCF REST processes JSON using (by default) the DataContractJsonSerializer, while Web API 2 (by default) uses NewtonSoft JSON, which today is the best choice.
Secondly: WCF more or less runs in ASP.NET context, using a HttpContext hack plus routing to a WCF service is much more complex than the easy Attributed like (RoutePrefixAttribute) Web API controller.
Third: Arguably, WCF REST services, simply are from the previous generation .NET. Certainly, I still would use WCF for implementing a SOAP client/server, but not for REST.

So, how can I convert my WCF Rest services to Web API 2 without telling customers to implement changes as well?

Here is my experience, which might gain some time for you.

Just this, my customer already used VB.NET in this project, so don’t blame me for using VB.NET instead of C# :)

The existing Services (called ‘Controllers’ in Web API terms) looked like this…

Service Body definition+attributes

Partial Public Class MobileService
     Inherits ServiceBase

ServiceBase is just a base class which has some methods for shortening getting the MemberShip User and Booleans like ‘IsAdmin’. For brevity, you don’t need to see it.

Service actions

They look like this:

<WebInvoke(Method:="GET", UriTemplate:="Product/{productid}")>
Public Function GetProduct(productid As String) As Product
    If MembershipUser Is Nothing Then Throw New UnauthorizedAccessException()
    Return New Product(CInt(productid))
End Function

There are several attributes, such as WebGet etc, which you quickly recognize having counterparts in WebAPI2


You know, REST = HTTP [ACTION VERB(S)] URL + [body].
WCF had an Attribute AspNetCompatibilityRequirements which enabled you to even have a Session State and to run within the ASP.NET pipeline. However, REST should not have a ‘session state’.

The response can depending on the Http Header Accept be either application/json, or application/xml

JSON is the easiest stuff, because it does not deal with XML namespaces. However, if an endpoint client requests application/xml, the service might return a constructed rootname element, using the controller name as a basename. Such as  <ArrayOfHardwareService.Category xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns=http://schemas.datacontract.org/2004/07/Yadda">

As you see, because my WCF REST controller was named HardwareService, it is being used in the XML output. If you have existing customers, you cannot just modify it to be, say, ‘ArrayOfHardwareController’.

Now, a real service implementor, would advice you to use CollectionDataContract attributes. Please do so, for new from scratch projects, However, again, I don’t want to redefine my existing object model, which can be a lot of work!

TIP 1: Use this excelent hack, which really works like a charm.


In VB.NET (I guess, your gasping to see it?) this little helper is like this:

Public Class CustomHttpControllerTypeResolver
      Inherits DefaultHttpControllerTypeResolver
      Public Sub New()
          MyBase.New(Function(T As Type)
                         If T Is Nothing Then Throw New ArgumentNullException("t")
                         Return T.IsClass AndAlso T.IsVisible AndAlso Not T.IsAbstract AndAlso GetType(ApiController).IsAssignableFrom(T) AndAlso GetType(IHttpController).IsAssignableFrom(T)
                     End Function)
      End Sub
  End Class

In Application_OnStart (or so) you add this

Web.Http.GlobalConfiguration.Configuration.Services.Replace(GetType(System.Web.Http.Dispatcher.IHttpControllerTypeResolver), New Api.CustomHttpControllerTypeResolver())

In WebApiConfig use this:

'override the suffix 'Controller' requirement
Dim suffix = GetType(DefaultHttpControllerSelector).GetField("ControllerSuffix", BindingFlags.Static Or BindingFlags.Public)
If suffix IsNot Nothing Then suffix.SetValue(Nothing, String.Empty)
I really like this hack above! Because we don’t need to mess with caching the WebAPI2 controllers ourselves. Which is indeed madness to implement ourselves (mostly).

Now the next challenge. Most companies have JSON/XML services available as service for both end-to-end points, but also as data-source in websites, which consume it using javascript.
In ASP.NET, you probably have some FormsAuthentication mechanism, which is cookie based and optimized for persisting an authenticated session.
WebAPI 2 Controllers do support this, using the Authorize attribute, however, you’ll discover, it does NOT support Basic authentication, which is in combination with SSL, a good candidate for encryption over data for most B-2-B endpoints..

So you need a ‘hack’ to elegantly support BOTH FormsAuthentication, and Basic Authentication. Note, the sample from the Web I used it from, ONLY supports BasicAuthentication, incorrectly calling it ‘Mixed’ support, which it was not. My code however, does support both FormsAuthentication as well as Basic authentication.

Note 1: It does not support the FormsAuthentication challenge sequence, which I don’t need since one normally does not log on using a browser to a JSON Service URL/endpoint. So, MyBase.IsAuthorized(actionContext) does the trick. Thus you don’t have to validate the .aspxauth cookie (Part of FormsAuthentication) yourselves.

Note 2: You must finish the TODO comment, otherwise, the attribute won’t work for you.

TIP 2 Use the attribute below, as a replacement for the Authenticate attribute.

''' <summary> 
''' HTTP authentication filter for ASP.NET Web API
''' </summary>
''' <seealso cref="
Public MustInherit Class BasicHttpAuthorizeAttribute
    Inherits AuthorizeAttribute

    Private Const BasicAuthResponseHeader = "WWW-Authenticate"
    Private Const BasicAuthResponseHeaderValue = "Basic"

    Public Overrides Sub OnAuthorization(actionContext As HttpActionContext)

        If (actionContext Is Nothing) Then
            Throw New ArgumentNullException("actionContext")
        End If
        If (AuthorizationDisabled(actionContext) OrElse MyBase.IsAuthorized(actionContext) OrElse AuthorizeRequest(actionContext.ControllerContext.Request)) Then
        End If

    End Sub

    Protected Overrides Sub HandleUnauthorizedRequest(actionContext As HttpActionContext)

        If (actionContext Is Nothing) Then
            Throw New ArgumentNullException("actionContext")
        End If
        actionContext.Response = CreateUnauthorizedResponse(actionContext.ControllerContext.Request)
    End Sub

    Private Shared Function CreateUnauthorizedResponse(request As HttpRequestMessage) As HttpResponseMessage

        Dim result = New HttpResponseMessage() With
                        .StatusCode = HttpStatusCode.Unauthorized,
                        .RequestMessage = request

        'we need to include WWW-Authenticate header in our response,
        'so our client knows we are using HTTP authentication
        result.Headers.Add(BasicAuthResponseHeader, BasicAuthResponseHeaderValue)
        Return result
    End Function

    Private Shared Function AuthorizationDisabled(actionContext As HttpActionContext) As Boolean
        'support New AllowAnonymousAttribute
        If Not actionContext.ActionDescriptor.GetCustomAttributes(Of AllowAnonymousAttribute).Any() Then
            Return actionContext.ControllerContext.ControllerDescriptor().GetCustomAttributes(Of AllowAnonymousAttribute).Any()
            Return True
        End If
    End Function

    Private Function AuthorizeRequest(request As HttpRequestMessage) As Boolean

        Dim authValue = request.Headers.Authorization
        If (authValue Is Nothing OrElse String.IsNullOrWhiteSpace(authValue.Parameter) OrElse
            String.IsNullOrWhiteSpace(authValue.Scheme) OrElse
            authValue.Scheme <> BasicAuthResponseHeaderValue) Then

            Return False
        End If

        Dim parsedHeader = ParseAuthorizationHeader(authValue.Parameter)
        If parsedHeader Is Nothing Then
            Return False
        End If
        Dim principal As IPrincipal = Nothing
        If TryCreatePrincipal(parsedHeader(0), parsedHeader(1), principal) Then

            HttpContext.Current.User = principal
            Return CheckRoles(principal) AndAlso CheckUsers(principal)

            Return False
        End If
    End Function

    Private Function CheckUsers(principal As IPrincipal) As Boolean

        Dim usrs = UsersSplit
        If usrs.Length = 0 Then Return True
        'NOTE: This is a case sensitive comparison
        Return usrs.Any(Function(u) principal.Identity.Name = u)
    End Function

    Private Function CheckRoles(principal As IPrincipal) As Boolean

        Dim rls = RolesSplit
        If rls.Length = 0 Then Return True
        Return rls.Any(Function(r) principal.IsInRole(r))
    End Function

    Private Shared Function ParseAuthorizationHeader(authHeader As String) As String()

        Dim credentials = Encoding.ASCII.GetString(Convert.FromBase64String(authHeader)).Split(":"c)
        If (credentials.Length <> 2 OrElse String.IsNullOrEmpty(credentials(0)) OrElse
            String.IsNullOrEmpty(credentials(1))) Then
            Return Nothing
        End If
        Return credentials
    End Function

    Protected ReadOnly Property RolesSplit() As String()
            Return SplitStrings(Roles)
        End Get
    End Property

    Protected ReadOnly Property UsersSplit() As String()
            Return SplitStrings(Users)
        End Get
    End Property

    Protected Shared Function SplitStrings(input As String) As String()
        If String.IsNullOrWhiteSpace(input) Then Return New String() {}
        Dim result = input.Split(","c).Where(Function(s) Not String.IsNullOrWhiteSpace(s.Trim()))
        Return result.Select(Function(s) s.Trim()).ToArray()
    End Function

    ''' <summary>
    ''' Implement to include authentication logic and create IPrincipal
    ''' </summary>
    Protected MustOverride Function TryCreatePrincipal(user As String, password As String, ByRef principal As IPrincipal) As Boolean
End Class
Public Class MembershipHttpAuthorizeAttribute
    Inherits BasicHttpAuthorizeAttribute

    ''' <summary>
    ''' Implement to include authentication logic and create IPrincipal
    ''' </summary>
    Protected Overrides Function TryCreatePrincipal(user As String, password As String, ByRef principal As IPrincipal) As Boolean

        principal = Nothing
        If Not Membership.ValidateUser(user, password) Then
            Return False
        End If
        Dim rles = Web.Security.Roles.Provider.GetRolesForUser(user)

'TODO: You must assign here your OWN principal       

        'principal = New GenericPrincipal(New GenericIdentity(user), roles)
        Return True
    End Function

End Class


Final Controller body

<RoutePrefix("api/blah"), MembershipHttpAuthorize(Roles:=aspnet_Role.blahRole+","+ aspnet_Role.BlahRole2)>
Partial Public Class MobileService
    Inherits Api.ApiBaseController

As you can see, I don’t have the ‘ Controller’  suffix for my Web API2 controller, and I even can use the RoutePrefix attribute. Second, I did not use ‘ Authorize’  attribute, but the mixed MembershipHttpAuthorize attribute.

Controller Actions

' <summary>
' Looks up some data by ID.
' </summary>
<HttpGet, Route("Product/{productid}")>
Public Function GetProduct(productid As Integer) As IHttpActionResult

    Return Ok(New Product(productid))
End Function

I don’t know if WCF could support non-string parameters, I don’t want to know, anyway, as above, you see, it’s quite simple.

In this case, I like to have a function of type IHttpActionResult, because than I easily can return BadRequest or NotFound(). http://www.asp.net/web-api/overviewaa



- Sometimes, it seemed that JQuery simply did not behave nicely with a REST / JSON call (this also was the case in the WCF implementation of my client), that only returns HTTP 200 (OK) with no return body. So, I found out, that service reliability improved by returning A value such as Ok(True). So, basically, always define your actions with a specific type, not being ‘void’ or ‘sub’. OK?

- Another issue occurring with HttpPost and HttpPut is when parameters are partly from a Uri and partly from body. WCF could figure this out, but strangely enough, you must help Web Api 2 using attributes FromUriAttribute and FromBodyAttribute. I did not have time to figure out when this was needed, or not but added the attribute.


<HttpPost, Route("Network/{networkid}/GetCustomerConsumer/")>
Public Function GetCustomerConsumer(networkid As Integer, <FromBody> req As GetCustomerConsumerRequest) As IHttpActionResult
        Return Ok(GetCustomer(networkid, req))
    Catch ex As Exception
        Return BadRequest(ex.Message)
    End Try
End Function

In the sample below, it certainly was necessary to define a ‘ dummy’  class, to pass simple types like status, which is an integer.

<HttpPost, Route("status/{myid}")>
Public Function SetStatus(myid As Integer, <FromBody> dm As Dummy) As IHttpActionResult

Public Class Dummy
     Public remark As String
     Public status As Integer
End Class

- Ironically, the DataContractJsonSerializer was able to convert JSON ‘objects’ back to an interface, say, ICustomer, while NewtonSoft serializer complains about  not being able to cast from an object to ICustomer. It might happen with your project as well, as long as (not sure however) there is no ambiguity on which class it should instantiate for ICustomer. (The KnownTypeAttribute, normally should fix this). The NewtonSoft Serializer, allows you to utilize an attribute. This code below, also might save you some hours research on how to fix that. (Sorry, this time it is C#, yeah)

Here we use the attribute:

public ICustomer Customer { get; set; }

And here you have the class. Just in case a concept you need it and how you use it!

public class PersonConverter : JsonCreationConverter<Person>
        protected override Person Create(Type objectType, JObject jObject)
            if (FieldExists("Initials", jObject))
                return new Person();
            if (FieldExists("Type", jObject))
                return new Contact();
            return null;
        private static bool FieldExists(string fieldName, JObject jObject)
            return jObject[fieldName] != null;
    public abstract class JsonCreationConverter<T> : JsonConverter
        /// <summary>
        /// Create an instance of objectType, based properties in the JSON object
        /// </summary>
        /// <param name="objectType">type of object expected</param>
        /// <param name="jObject">
        /// contents of JSON object that will be deserialized
        /// </param>
        /// <returns></returns>
        protected abstract T Create(Type objectType, JObject jObject);

        public override bool CanConvert(Type objectType)
            return typeof(T).IsAssignableFrom(objectType);

        public override object ReadJson(JsonReader reader,
                                        Type objectType,
                                         object existingValue,
                                         JsonSerializer serializer)
            // Load JObject from stream
            var jObject = JObject.Load(reader);

            // Create target object based on JObject
            var target = Create(objectType, jObject);

            // Populate the object properties
            serializer.Populate(jObject.CreateReader(), target);

            return target;

        public override void WriteJson(JsonWriter writer,
                                       object value,
                                       JsonSerializer serializer)
            //default easy muke
            serializer.Serialize(writer, value);

Annother quirk that might bite you, is the fact that a WCF REST service, defaults to return application/xml content while Web API defaults to application/json. If a client application did not specify the Accept Header or even specifies ‘text/html’. This line below fixes the default output again to application/xml.

config.Formatters.XmlFormatter.SupportedMediaTypes.Add(New MediaTypeHeaderValue("text/html"))

WebApi Config

You need to adapt JSON serialization as well. Try to keep it using the NewtonSoft.Json serializer, instead of the  json.UseDataContractJsonSerializer=true!

You need to set MicrosoftDateFormat to be compatible with the WCF REST JSON output (instead of ISO). Second, you need to output Null Values as well. There also is an issue, with TimeZone support in WCF, which is unspecified I believe, which leads to crazy bugs with DateTime output, anyway, without solving that WCF issue in this article, you need ‘ Unspecified’  here as well.

Another nice feature while debugging/developing, is Indented JSON which allows you to easily read your JSON output using your favorite Browser Netwerk trace.

   Public Class WebApiConfig
        Public Shared Sub Register(ByVal config As HttpConfiguration)

            Dim json = config.Formatters.JsonFormatter
            json.SerializerSettings.DateFormatHandling = Newtonsoft.Json.DateFormatHandling.MicrosoftDateFormat          
            json.SerializerSettings.NullValueHandling = Newtonsoft.Json.NullValueHandling.Include
            json.SerializerSettings.DateTimeZoneHandling = Newtonsoft.Json.DateTimeZoneHandling.Unspecified
#If DEBUG Then
            json.SerializerSettings.Formatting = Newtonsoft.Json.Formatting.Indented
#End If
            'override the suffix 'Controller' requirement
            Dim suffix = GetType(DefaultHttpControllerSelector).GetField("ControllerSuffix", BindingFlags.Static Or BindingFlags.Public)
            If suffix IsNot Nothing Then suffix.SetValue(Nothing, String.Empty)  

        End Sub
    End Class