I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.
我已经观看并查看了许多关于保护asp.net web api的页面 - 包括:http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series -part-6-authorization.aspx和http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way .aspx - 但是,我还没有看到一个KISS类型的例子。
If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?
如果我有一个web api,它返回一个汽车列表例如 - 我正在与第三方(即不是我自己的网站或服务器/域)合作,他们想要查询(获取)和插入(发布)列表汽车的类型,进入我的数据库,我如何验证它们(通过https)?
Do they simply add (into their JSON GET/Post) something like:
他们只是添加(在他们的JSON GET / Post中)类似于:
[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]
I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?
然后,我可以获取用户名和密码,并检查.net中的会员数据库,并“IfUserAuthenticated”继续处理其余的JSON?
Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?
或者有更好的方法吗?我听说过向标题添加细节等等 - 但我不确定这是出于某种原因,还是使其复杂化。我也听说过设置令牌被发送回第三方 - 如果这是最好的方法,我给他们的指示是建立他们将使用我的API的应用程序的一面?
Thanks for any advice/pointers,
感谢您的任何建议/指示,
Mark
3 个解决方案
#1
5
If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:
如果您想保持简单,可以使用基本身份验证。通过SSL,它非常安全。它只涉及向请求添加标头:
Authorization: Basic <username:password encoded as base64>
You can find a way to implement it here.
你可以在这里找到一种方法来实现它。
#2
3
You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)
您可以使用HTTP Basic身份验证和SSL。使用消息处理程序实现它非常简单,并且在许多平台上都支持开箱即用。请参阅我的博客中的示例(与您选择的成员资格提供程序集成非常容易)
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
#3
0
I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
我为Web API编写了类似的东西:http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.
它现在在几个地方使用,我们一直在使用它,因为大约2个月的生产。似乎工作正常。
#1
5
If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:
如果您想保持简单,可以使用基本身份验证。通过SSL,它非常安全。它只涉及向请求添加标头:
Authorization: Basic <username:password encoded as base64>
You can find a way to implement it here.
你可以在这里找到一种方法来实现它。
#2
3
You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)
您可以使用HTTP Basic身份验证和SSL。使用消息处理程序实现它非常简单,并且在许多平台上都支持开箱即用。请参阅我的博客中的示例(与您选择的成员资格提供程序集成非常容易)
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
#3
0
I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
我为Web API编写了类似的东西:http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.
它现在在几个地方使用,我们一直在使用它,因为大约2个月的生产。似乎工作正常。