ASP.NET Web API Issues - Authorization / Authentication

Question

ASP.NET Web API Issues - Authorization / Authentication

I was asked to create an API for clients. Before starting, I have some questions. I decided to use ASP.NET web API technology. I created my first method and it works great, I can return the result set of products in XML / Json format. The problem is that anyone who accesses my API, which is located on my website, will be able to see all my products. I already have a customer database, how can I use this so that they have to set some credentials before accessing my API.

The API must be available for both Web and desktop clients.

One of the ways I thought of doing this is that they pass in their username / password along with the parameters, but that didn't look very secure / correct? For instance:api/products/GetById/750?username=bob&pass=123

+5

model-view-controller asp.net-web-api asp.net-mvc-3 wcf

Callumvass May 21 '12 at 11:52

source share

4 answers

.

ASP.NET? MSDN

, , .

http://sixgun.wordpress.com/2012/02/29/asp-net-web-api-basic-authentication/

+3

Darren Davies 21 '12 11:54

API SSL. ( , # ).
URL, :
api/products/GetById/750?u=828s388332e328e38&p=328e23e2i38324r423ur29834
, , .
, . (1 1 ..). URL- :
api/products/GetById/750?token=1241824123yxxcn2r348
/ : MSDN

+3

Internet Engineer 21 '12 12:07

Username/Password , , , (HTTP Basic Authentication), . :

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(@"https://localhost:8010/api/Customer/1");
//Add a header to the request that contains our credentials
//DO NOT HARDCODE IN PRODUCTION!! Pull credentials real-time from database or other store.
string svcCredentials = Convert.ToBase64String(ASCIIEncoding.ASCII.GetBytes("user1"+ ":" + "test"));
req.Headers.Add("Authorization", "Basic " + svcCredentials);

"WCF", "Web API", . "" , , . , HTTP 401.

WCF REST, IIS, :

REST, IIS

0

atconway 19 . '13 16:29

share

Piotr Walat · Accepted Answer · 2012-05-21T12:33:18+0000

You can use AuthorizeAttribute to decorate your controllers / actions.

[Authorize]
public IEnumerable<Product> Get() {...}

This may limit the availability of your resources to authenticated users only.

The actual authentication method is another story. By default, the Web API uses cookie-based ASP.NET form authentication, which is good if the api is directly consumed from the html + js web client.

, API / - , HTTP- , ( SSL ).

http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/, , HTTP, ASP.NET .

ASP.NET Web API Issues - Authorization / Authentication

More articles: