堆栈内存溢出
  简体   繁体   English

验证站点/应用程序以访问Web API服务

[英]Authenticate a site/app to access a Web API Service

 原文  2014-05-18 02:56:47       c#/ asp.net/ asp.net-mvc/ web-services/ angularjs

问题描述

Brief question: I've a Web API Service in .NET, and a Site made only with HTML and AngularJS. 简短问题:我在.NET中使用Web API服务,并且只使用HTML和AngularJS创建了一个站点。

How can authorize to my service ONLY my web? 如何仅通过我的网络授权我的服务?

I'm looking for a secure answer to a problem that seems to be common but is not. 我正在寻找一个似乎很常见的问题的安全答案,但事实并非如此。 I read a lot of answers, ideas and every kind of things in the late days, but I couldn't find the solution. 我在后期阅读了很多答案,想法和各种事情,但我找不到解决方案。

Let's suppose I've a Web Api Service (the lastest one) from MS. 让我们假设我有一个来自MS的Web Api服务(最新的)。 So I have to application that need consumes it. 所以我必须使用需要消耗它的应用程序。 Let's define two scenarios. 我们来定义两个场景。

Scenario 1: 场景1:

In the same IIS, I've an ASP.NET MVC 3/4 with the particularity that all MVC work is on the client side, made by AngularJS, so the App points directly from JavaScript to the Web Api Service. 在同一个IIS中,我有一个ASP.NET MVC 3/4,其特点是所有MVC工作都在客户端,由AngularJS制作,因此App直接从JavaScript指向Web Api服务。

Scenario 2: 场景2:

I've a third party application that points directly to the Web Api Service, and is locate in other network/site/anything but related. 我有一个第三方应用程序直接指向Web Api服务,并且位于其他网络/站点/任何但相关的任何内容。

So, my question is: 所以,我的问题是:

How can authenticate both systems, in order to the Web Api Service gives access to both system (I don't care if is the same way or not), and not give access for example to a guy with a REST client, and logged to the site with user/pass authorization? 如何验证两个系统,以便Web Api服务提供对两个系统的访问(我不在乎是否相同),并且不向例如具有REST客户端的人提供访问权限,并且登录到具有用户/通行证授权的网站? I hope these both examples gave the idea of the point what I'm interested. 我希望这两个例子都能说明我感兴趣的观点。

Please comment below anything you need to improve this question in a better way! 请在下面评论您需要以更好的方式改进此问题!

By the way, no, obfuscation can not be used. 顺便说一句,不,不能使用混淆。 I thought in something like a refreshing token but I can't figure it. 我想像一个令人耳目一新的令牌,但我无法想象。

2 个解决方案

解决方案1
 10 已采纳  2014-05-27 16:50:08

How I would set up authentication with your Scenario 1 : 我将如何使用您的方案1设置身份验证:

I will force the static files to go through the server in order to ensure authentication 我将强制静态文件通过服务器以确保身份验证

Web.config Web.config文件 

<compilation>
    <buildProviders>
        <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
        <add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
    </buildProviders>
</compilation>

<system.webServer>
     <handlers>
         <add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG"   type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
         <add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
     </handlers>
</system.webServer>

This will allow me to set up <authentication> and <authorization> in my web.config like: 这将允许我在我的web.config中设置<authentication><authorization> ,如: 

<authorization>
  <allow roles="demo" />
</authorization>

or 要么 

 <authorization>
   <deny users="?" />
 </authorization>

Additionally I will set up my login page: 另外,我将设置我的登录页面: 

<authentication mode="Forms">
      <forms  path="/" loginUrl="~/login"..

For Scenario 2 : 对于场景2

Probably you will need to enable CORS, if it is the case you will need to: 可能你需要启用CORS,如果是这种情况你需要:

Set the config option config.EnableCors(); 设置配置选项config.EnableCors(); in your Register method; 在你的Register方法中; you will also need to enable CORS in your ApiController by using [EnableCors] attribute along with the declaration of the controller, here is an example how I do it: 您还需要通过使用[EnableCors]属性以及控制器的声明在ApiController中启用CORS,以下是我如何执行此操作的示例: 

 [EnableCors(origins: "http://localhost:49595", headers: "*", methods: "*")]
 public class ValuesController : ApiController
 {
 ...

Finally to secure the WebApi we will need to use an attribute [Authorize] in the controllers and most likely you will need to define your custom authentication method to authorize your second callers. 最后,为了保护WebApi,我们需要在控制器中使用属性[Authorize] ,并且很可能需要定义自定义身份验证方法来授权第二个调用者。 You could follow these steps: 您可以按照以下步骤操作:

解决方案2
 4  2014-05-18 11:10:36

Not exactly an answer to the question but what I want to say is too long for a comment, so... 不完全是问题的答案,但我想说的是评论太长,所以......

There are various ways to secure a RESTful service , but if you want to restrict access to it you mainly have two approaches: 多种方法可以保护RESTful服务 ,但是如果要限制对它的访问,则主要有两种方法:

  • use the service only from an internal network or through a VPN of some sort (ie control the environment over which the service is accessed and allow access only from some specific sources); 仅从内部网络或某种VPN使用该服务(即控制访问该服务的环境,并允许仅从某些特定来源访问);
  • have the service exposed to the public but then have the application or server drop any requests that don't meet some requirements (ie not authenticated, missing tokens, bad signatures etc). 让服务暴露给公众,然后让应用程序或服务器删除任何不符合某些要求的请求(即未经过身份验证,缺少令牌,错误签名等)。

Depending on what you are doing, none of the above could work. 根据您的工作情况,以上都不适用。

What you want (as I understand from your question) is to limit the clients accessing your service to just two. 您想要的是(根据您的问题我理解)是将访问您服务的客户限制为两个。 Of the top of my head I can only think of HTTPS with mutual authentication . 在我的头脑中,我只能想到使用相互身份验证的HTTPS。 You use client side certificates to authenticate the client. 您使用客户端证书来验证客户端。 IIS will handle the connection so if your clients make a request without presenting a certificate the request is rejected. IIS将处理连接,因此如果您的客户端在未提供证书的情况下发出请求,则拒绝该请求。 Nobody can access your service unless they have a client certificate provided by you. 没有人可以访问您的服务,除非他们拥有您提供的客户证书。

So it's a matter of issuing one certificate for each client. 所以这是为每个客户发放一个证书的问题。 This works for the third party app but it might be impossible to implement because of the browsers accessing your API directly. 这适用于第三方应用,但由于浏览器直接访问您的API,因此可能无法实施。 This will mean you need to install a certificate for each browser accessing your MVC application or move access to the API on the MVC server side and no longer call it directly from AngularJS. 这意味着您需要为访问MVC应用程序的每个浏览器安装证书,或者在MVC服务器端移动对API的访问权限,而不再直接从AngularJS调用它。 If you can do either of that it's fine, otherwise it's back to the drawing board... 如果你可以做任何一件事就没事了,否则就会回到绘图板......

Hope this helps! 希望这可以帮助! And if you find a suitable solution please post it as an answer on SO. 如果您找到合适的解决方案,请将其作为答案发布在SO上。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Windows Azure Web App上发布的asp.net网站中访问Web服务 - How to to access web service in asp.net web site whcih publish on windows azure Web App 使用我的API中的访问令牌对C#MVC Web应用程序进行身份验证的最佳方法 - Best way to authenticate a C# MVC web app using an access token from my API 验证网络服务 - Authenticate a web service 如何在同一应用程序中对MVC Web应用程序和Web API进行身份验证/授权 - How to authenticate/Authorize the MVC web app and web api in the same application 通过Web API访问Sharepoint 2013网站 - Access to sharepoint 2013 site from web api Web API验证用户并检查是否有权访问资源 - Web API Authenticate user and check if has access to a resource 如何验证ASP.NET Web应用程序以访问SQL数据库 - How to authenticate an asp.net web app to access sql database 如何在 WPF 应用程序中使用 Z3A580F142203677F0BC30898 AZFZ 验证 web api - How to authenticate web api in WPF app using Azure AD 验证Web服务中的Solr连接 - Authenticate Solr connection in web service 使用Windows身份验证站点中托管的Web服务配置匿名访问 - Configure a web service w/ Anonymous Access hosted in a Windows Authentication site
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM