Web API验证用户并检查是否有权访问资源
[英]Web API Authenticate user and check if has access to a resource
问题描述
I need an advise. 
我需要一个建议。 I'm building a Web API for my app and I need to auth users who use it. 我正在为我的应用程序构建Web API,并且需要对使用它的用户进行身份验证。 The user will have access to his data, but may have access to others users data as well. 用户将有权访问其数据,但也可能会访问其他用户的数据。 In my database I manage the users and what other users they have access to (you might think of it like in Facebook where a user has access to his profile and his friends profiles, but not to other people profiles). 在我的数据库中,我管理用户以及他们可以访问的其他用户(您可能会认为它就像在Facebook中一样,用户可以访问他的个人资料和他的朋友个人资料,但不能访问其他人的个人资料)。
In my app, the user enters a username and password, and those are saved encrypted on the devise. 在我的应用程序中,用户输入用户名和密码,然后将其加密保存在设备中。 They are later sent (via SSL) to the API on each call - what I've done is implement a Basic Authentication. 稍后在每次调用时将它们发送(通过SSL)到API-我所做的是实现基本身份验证。 If there is a better "best practice" to work please feel free to suggest - I'm new to this. 如果有更好的“最佳实践”来工作,请随时提出建议-我是新手。
So far it works - but the problem is that working like this 到目前为止,它可以工作-但问题是这样工作
- the user once authenticated also has access to other profiles - what I would like to do is have him only get the profile ( http://myaddress.com/Users/ {id}) that belongs to him and the items that he owns ( http://myaddress.com/Users/ {id}/items) - and not for profiles and items by other users. 该用户一旦通过身份验证,还可以访问其他个人资料-我想做的就是让他仅获得属于他的个人资料( http://myaddress.com/Users/ {id})和他拥有的物品( http://myaddress.com/Users/ {id} / items)-不适用于其他用户的个人资料和项目。
- If the user is trying to access a profile or items of another user that he is connected to - allow that access. 如果用户试图访问与其连接的另一个用户的配置文件或项目-允许该访问。
What I thought about is passing the requested URI to my login method, and then check what user / resource the user is trying to access and than check the database - but that seems like a lot of work and a lot of IF statements. 我考虑过的是将请求的URI传递给我的登录方法,然后检查用户尝试访问的用户/资源,然后检查数据库-但这似乎需要大量工作和大量IF语句。
So before I start writing, I thought I'd ask to see if there's a better way to do this. 所以在我开始写作之前,我想问一下是否有更好的方法可以做到这一点。 I have the HttpActionContext, I just don't know how to use it to my advantage. 我有HttpActionContext,我只是不知道如何使用它来发挥我的优势。
Hope I was clear about my question. 希望我清楚我的问题。 If not, feel free to ask for clarifications. 如果没有,请随时进行澄清。
1 个解决方案
解决方案1
0 2015-01-16 13:11:36
So you identify the user from his/her credentials that are sent on every API request. 因此,您可以根据每个API请求发送的凭据来识别用户。 Could be switched some token based flow, that user authenticates just once and gets token(acts like user credentials) which is then sent to back-end API on every resource request. 可以切换一些基于令牌的流程,使用户仅进行一次身份验证并获取令牌(类似于用户凭据),然后在每次资源请求时将其发送到后端API。 Then you can control the token, revoke access etc. What you could is make some kind of permission service, that all resources/objects have permissions attached to it and then just assign needed persmission to users read/write to this object maybe. 然后,您可以控制令牌,撤消访问权限等。您可以做的是提供某种权限服务,即所有资源/对象都具有附加的权限,然后仅向需要读写该对象的用户分配所需的权限。 Might be a massive task to implement. 可能是一项艰巨的任务。 My opinions. 我的意见
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.