简体繁体 English

分布式应用程序中的ASP.NET WebAPI客户端授权

[英]ASP.NET WebAPI client authorization in a distributed application

原文 2013-09-30 22:57:47 5 1 wcf/ security/ asp.net-web-api/ authorization/ n-tier-architecture

I am creating a distributed application which will use ASP.NET Web API to support a Single-Page web Application (SPA) and other potential native mobile app platforms. 我正在创建一个分布式应用程序，它将使用ASP.NET Web API来支持单页Web应用程序（SPA）和其他潜在的本机移动应用程序平台。 My current architecture uses Thinktecture Identity Server as a STS which will provide authorization tokens for my clients to use to access the WebAPI. 我当前的体系结构使用Thinktecture Identity Server作为STS，它将为我的客户端提供用于访问WebAPI的授权令牌。 In the backend I will have persistence and business logic which will be exposed by a WCF service in a separate app domain from my WebAPI. 在后端，我将拥有持久性和业务逻辑，这些逻辑将由WCF服务与WebAPI分开的应用程序域公开。 The WebAPI will call the service layer to access data and perform actions on the domain. WebAPI将调用服务层以访问数据并在域上执行操作。

My question is around authorization . 我的问题是关于授权 。 I will be using Claims Based Authorization and can augment the list of claims from domain data held about the user from my WCF exposed business layer. 我将使用基于声明的授权，并可以从WCF暴露的业务层中有关用户的域数据中扩展声明列表。 But where should I carry out the authorization? 但是我应该在哪里进行授权？ With .NET 4.5, ASP.NET now has an extensible model to enable me to separate out authorization logic from my controllers into a separate authorization module - using the ClaimsAuthorizationManager. 在.NET 4.5中，ASP.NET现在具有一个可扩展的模型，使我可以使用ClaimsAuthorizationManager将授权逻辑从控制器中分离到单独的授权模块中。 Also, Thinktecture.IdentityModel does a really good job of providing all the plumbing to do this within my WebAPI application. 另外， Thinktecture.IdentityModel在提供所有管道以在我的WebAPI应用程序中执行此任务方面做得非常好。 However, I cannot help thinking that the authorization logic should be sitting in my business layer, behind the WCF service, and that the client-facing WebAPI should not be tasked with enforcing this. 但是，我不禁想到授权逻辑应该位于我的业务层中，在WCF服务之后，并且不应该对面向客户端的WebAPI强制执行此任务。 Should I require other client facing hosted apps to consume my WCF based business layer, then they would also need to implement security code. 如果我要求其他面向客户端的托管应用程序使用我基于WCF的业务层，那么他们还需要实现安全代码。 On the downside, it does mean that an unauthorized request gets quite far into the application before being rejected. 不利的一面是，这确实意味着未经授权的请求会在拒绝之前进入应用程序。

Question : should I use the Claims based authorization capabilities in ASP.NET or should I wrap authorization around my business layer behind the WCF service? 问题：应该在ASP.NET中使用基于声明的授权功能，还是应该在WCF服务后面的业务层中包装授权？

1 个解决方案

When possible, you should always try to use the authorization tools the framework you use gives you. 如果可能，您应该始终尝试使用所使用的框架提供的授权工具。 In Microsoft's case, it's claims-based authorization. 就微软而言，它是基于声明的授权。 The benefit is that you're isolating your authorization logic in a layer of its own rather than within your business logic. 这样做的好处是，您可以将授权逻辑隔离在其自身的一层中，而不是在业务逻辑中。

Claims-based authorization is one of many approaches to authorization. 基于声明的授权是许多授权方法之一。 Another would be to use XACML. 另一种可能是使用XACML。 I recently gave a talk on XACML for developers (albeit Java developers). 我最近为开发人员（尽管是Java开发人员）做了有关XACML的演讲。 You can read more about it here . 您可以在此处了解更多信息。 I also wrote an article on .NET and XACML which you can check out here . 我还写了一篇有关.NET和XACML的文章，您可以在此处查看。