I'm now building a App that use asp.net webAPI on the server side,I got a problem about the validation:
我现在正在构建一个在服务器端使用asp.net webAPI的应用程序,我遇到了一个关于验证的问题:
I want to provide my webAPI for multi-platform,just like browser's javascript,or windows phone ,and so on,so I decide to implicit the validation with HTTP-BASIC,"(forgive my poor English),the problem is ,In the past time.
我想为多平台提供我的webAPI,就像浏览器的javascript,或者windows phone,等等,所以我决定用HTTP-BASIC来隐式验证(请原谅我的英语不好),问题是,在过去的时间里。
I always take some User's Information in SESSION,but we know that webAPI with RESTful-style is Session-stateless,so how to store the User's information:
我总是在会话中获取一些用户的信息,但是我们知道带有restfulstyle的webAPI是无会话状态的,所以如何存储用户的信息:
And I get some idea,I hope you can help me to make the right choice,thx a lot
我有一些想法,我希望你能帮助我做出正确的选择,非常感谢
1. put the information into the browser's cookie except the user's password and other important infos. everytime I make the http-request ,i take the cookies.and on the server-side,I can query the user's infomation.and make other steps.(the sequence will not work on moblie platform,cuz cookies only in browsers)
1。除了用户的密码和其他重要信息外,将信息放入浏览器的cookie中。每次我发出http请求时,我都会获取cookie。在服务器端,我可以查询用户的信息。并使其他步骤。(该序列不会在moblie平台上运行,只在浏览器中使用cuz cookie)
2.user HTTP-BASIC validation,and everytime the server get the httpRequest,it get the username and password in the HTTP-Headers,and server-side also can query the user's information.
2。用户HTTP-BASIC验证,服务器每次获得httpRequest时,都会在http - header中获得用户名和密码,服务器端也可以查询用户的信息。
1 个解决方案
#1
2
Most REST APIs I've seen handle authentication one of two ways:
我见过的大多数REST api处理身份验证的方式有两种:
- HTTP Headers, be it basic auth, or some custom headers to pass credentials. This would be your option 2. This is only really good if you're running over HTTPS, since the credentials will be in clear text in the headers.
- HTTP报头,可以是基本的auth,也可以是一些自定义报头来传递凭据。这是你的选择2。这只有在您运行HTTPS时才会很好,因为凭证将在header中以明文形式显示。
- Using a pair of tokens, one as an identifier (somewhat like a user name) and one shared secret between the client and the server (somewhat like a password). A hash is then made of the identifier, parts of the request parameters, and the secret. This hash and the identifier is then sent along with the request. The server, knowing the secret, then computes the hash using the same method, and ensures they match (Amazon Web Services uses this method, along with anything using OAuth).
- 使用一对令牌,一个作为标识符(有点像用户名),以及客户端和服务器之间的共享秘密(有点像密码)。然后对标识符、请求参数的部分和秘密进行哈希。这个散列和标识符将随请求一起发送。服务器知道这个秘密,然后使用相同的方法计算散列,并确保它们匹配(Amazon Web Services使用此方法,以及任何使用OAuth的方法)。
More web APIs seem to be migrating to the second method here, as it is resistant to tampering and replay attacks, unlike basic auth. It is, of course, more complex.
更多的web api似乎正在迁移到这里的第二种方法,因为与基本的auth不同,它抵抗篡改和重播攻击。当然,这更复杂。
RFC 5849 Section 3.4 for OAuth, while dry reading, goes through the process used for creating the hash, and probably would be a good starting point for implementing, if you desire. A basic implementation in C# is provided on the OAuth Google Code site, and might be a better choice to start with.
RFC 5849 OAuth的第3.4节在进行干读时,将经历用于创建散列的过程,如果您愿意,这可能是实现散列的良好起点。在OAuth谷歌代码站点上提供了c#中的一个基本实现,它可能是开始时更好的选择。
#1
2
Most REST APIs I've seen handle authentication one of two ways:
我见过的大多数REST api处理身份验证的方式有两种:
- HTTP Headers, be it basic auth, or some custom headers to pass credentials. This would be your option 2. This is only really good if you're running over HTTPS, since the credentials will be in clear text in the headers.
- HTTP报头,可以是基本的auth,也可以是一些自定义报头来传递凭据。这是你的选择2。这只有在您运行HTTPS时才会很好,因为凭证将在header中以明文形式显示。
- Using a pair of tokens, one as an identifier (somewhat like a user name) and one shared secret between the client and the server (somewhat like a password). A hash is then made of the identifier, parts of the request parameters, and the secret. This hash and the identifier is then sent along with the request. The server, knowing the secret, then computes the hash using the same method, and ensures they match (Amazon Web Services uses this method, along with anything using OAuth).
- 使用一对令牌,一个作为标识符(有点像用户名),以及客户端和服务器之间的共享秘密(有点像密码)。然后对标识符、请求参数的部分和秘密进行哈希。这个散列和标识符将随请求一起发送。服务器知道这个秘密,然后使用相同的方法计算散列,并确保它们匹配(Amazon Web Services使用此方法,以及任何使用OAuth的方法)。
More web APIs seem to be migrating to the second method here, as it is resistant to tampering and replay attacks, unlike basic auth. It is, of course, more complex.
更多的web api似乎正在迁移到这里的第二种方法,因为与基本的auth不同,它抵抗篡改和重播攻击。当然,这更复杂。
RFC 5849 Section 3.4 for OAuth, while dry reading, goes through the process used for creating the hash, and probably would be a good starting point for implementing, if you desire. A basic implementation in C# is provided on the OAuth Google Code site, and might be a better choice to start with.
RFC 5849 OAuth的第3.4节在进行干读时,将经历用于创建散列的过程,如果您愿意,这可能是实现散列的良好起点。在OAuth谷歌代码站点上提供了c#中的一个基本实现,它可能是开始时更好的选择。