堆栈内存溢出
  简体   繁体   English

在ASP.NET MVC Web API服务和MVC客户端体系结构中实现身份验证和基于角色的授权

[英]Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture

 原文  2013-10-29 14:37:00       asp.net/ asp.net-mvc/ asp.net-mvc-4/ asp.net-web-api/ asp.net-authorization

问题描述

I'm having hard time in deciding an approach while implementing Authentication/Authorization scenario for my Web API (Service) - MVC (client) architecture project. 在为我的Web API(服务)-MVC(客户端)体系结构项目实施身份验证/授权方案时,我很难决定一种方法。 Even though i have implemented Custom token based authentication in Web API project, I'm finding it hard where exactly i should implement the authorization (In Client or in API itself). 即使我已经在Web API项目中实现了基于自定义令牌的身份验证,但我仍然很难在哪里确切地实现授权(在客户端或在API本身中)。

Architecture Overview : 架构概述:

  • Projects Solution - 项目解决方案-
    | |
    | | __ ASP.NET Web API based REST service (Independently hosted on IIS at M/C 1) __基于ASP.NET Web API的REST服务(独立托管在IIS上的M / C 1)
    | |
    | | __ ASP.NET MVC based Client (independently hosted on IIS at M/C 2 Consuming REST service) __基于ASP.NET MVC的客户端(独立托管在IIS上的M / C 2消耗REST服务)
    | |
    | | __ Smart phone client Application (Consuming the REST service) __智能手机客户端应用程序(使用REST服务)

Already implemented authentication : 已实施身份验证:

  • Token based authentication in Web API (using Message Handler) - Which generates SHA1 encripted token for authenticated user which needs to be a part of every http request header for authentication. Web API中的基于令牌的身份验证(使用消息处理程序)-它为经过身份验证的用户生成SHA1加密令牌,该令牌需要成为每个HTTP请求标头中的一部分。
    (Token = User Name + User IP) (令牌=用户名+用户IP)

  • SSL protected HTTP request. 受SSL保护的HTTP请求。 (Again, Using Message Handler) (同样,使用消息处理程序)

Current problems : 当前问题:

  1. At what layer the authorization should be implemented? 授权应在哪一层实施?
  2. How does user role should be persisted at client? 用户角色应如何在客户端保持不变? Using Cookies? 使用Cookies? or Adding role information to Token itself ( Which might add overhead for API to decrypt the information and extra DB calls to retrieve permissions associated with that role) 或将角色信息添加到令牌本身(这可能会增加API解密信息的开销以及额外的DB调用来检索与该角色关联的权限的开销)
  3. How the Authentication Token should be persisted with Client session? 身份验证令牌应如何与客户端会话保持在一起?
  4. Since, my application is SPA MVC application, What is the best way to include the Authentication token as a part of every AJAX call i make to API? 既然我的应用程序是SPA MVC应用程序,那么将身份验证令牌作为我对API进行的每个AJAX调用的一部分的最佳方法是什么?

I hope, I'm not doing things wrong while taking the whole authentication/authorization concept in to consideration. 我希望,在考虑整个身份验证/授权概念的同时,我没有做错任何事情。 Thus, I'll appreciate any alternate approach/suggestion. 因此,我将不胜感激任何替代方法/建议。

2 个解决方案

解决方案1
 3 已采纳  2013-10-29 15:39:48

First of all I think it's never a good idea to invent your own authentication mechanism. 首先,我认为发明自己的身份验证机制绝不是一个好主意。

To answer your current problems: 要回答您当前的问题:

1 Generally spoken you always want to secure your Api using authentication since it's the place where you access your data. 1通常来说,您总是希望使用身份验证来保护Api,因为它是您访问数据的地方。 Your client (MVC App/Smartphone) should authorize itself to get access to your Api. 您的客户端(MVC应用程序/智能手机)应授权自己访问您的Api。

2 & 3 Since you are using a REST Api I would suggest to keep your Api stateless, with other words, don't keep any session information. 2&3因为您使用的是REST Api,所以我建议保持Api无状态,换句话说,不要保留任何会话信息。 Just include the role data you need in your Token. 只需在令牌中包括所需的角色数据即可。 You could use for example an JSON Web Token . 例如,您可以使用JSON Web令牌

4 I would always use the authorization header to send authorization data. 4我将始终使用授权标头发送授权数据。 In your DelegatingHandler (Note the difference MessageHandler MVC, DelegatingHander HTTP) you can simpy retrieve the header. 在您的DelegatingHandler中(请注意不同的MessageHandler MVC,DelegatingHander HTTP),您可以通过simpy检索标头。 

protected override Task<HttpResponseMessage> SendAsync(
        HttpRequestMessage request, CancellationToken cancellationToken)
 {
    var authorizationHeader = request.Headers.Authorization;
    // Your authorization logic.

    return base.SendAsync(request, cancellationToken);
 }

For more info on how to include the authorization header in an ajax call please see: How to use Basic Auth with jQuery and AJAX? 有关如何在ajax调用中包括授权标头的更多信息,请参见: 如何在jQuery和AJAX中使用Basic Auth?

Extra info: 额外信息:

If I were you I would also take a look at Thinktecture's Identity Server: https://github.com/thinktecture/Thinktecture.IdentityServer.v2 如果您是我,我还将看一下Thinktecture的Identity Server: https : //github.com/thinktecture/Thinktecture.IdentityServer.v2

And maybe this answer about REST Service Authentication will help you as well: REST service authentication 也许这个答案关于REST服务的身份验证将帮助您还有: REST服务认证

解决方案2
 0  2013-10-29 15:20:34

为什么要创建一个完整的令牌系统(除非您使用某种联合安全性),否则您将具有表单身份验证和cookie,一旦设置并返回cookie,浏览器就会将cookie与SPA发出的所有AJAX请求一起发送给cookie。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET MVC 4中的身份验证和角色授权 - Authentication and role authorization in ASP.NET MVC 4 ASP.net MVC 4中基于角色的授权 - Role based Authorization in ASP.net MVC 4 ASP.NET MVC + Web API2 + AngularJS授权和身份验证 - ASP.NET MVC + Web API2 + AngularJS authorization and authentication 使用自定义表在MVC和Web API中实现基于角色的授权 - Implementing role based authorization in MVC and Web API with custom table asp.net mvc 4 web api中的授权 - authorization in asp.net mvc 4 web api 基于站点/ URL的ASP.NET MVC角色授权 - ASP.NET MVC Role Authorization based on Site/URL 使用Asp.net MVC 6和Web Api进行身份验证 - Authentication with Asp.net MVC 6 and Web Api 具有基于角色的授权的ASP.NET Web Api - ASP.NET Web Api with Role based authorization ASP.NET Web API + ASP.NET MVC身份验证 - ASP.NET Web API + ASP.NET MVC Authentication ASP.NET MVC 3自定义身份验证/授权 - ASP.NET MVC 3 Custom Authentication/Authorization
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM