[英]Authorization and Authentication ASP.Net web api
I am new to developing API's and have built ASP.NET web api capability into an existing MVC project of mine. 我是开发API的新手,并且已经将ASP.NET Web API功能构建到我现有的MVC项目中。 I am going to want clients to have the ability to send JSONs of multiple object instances that I can persist to my DB but currently the API consists only of the Values template that the framework provides and I'd like to sort out securing it now before moving forward developing the API fully: 我希望客户端能够将多个对象实例的JSON发送至数据库,但目前该API仅由框架提供的Values模板组成,我现在想先对其进行保护继续全面开发API:
[Authorize]
public class ValuesController : ApiController
{
// GET api/<controller>
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
// GET api/<controller>/5
public string Get(int id)
{
return "value";
}
// POST api/<controller>
public void Post([FromBody]string value)
{
}
// PUT api/<controller>/5
public void Put(int id, [FromBody]string value)
{
}
// DELETE api/<controller>/5
public void Delete(int id)
{
}
}
The Authorize tag requires a user to log in on my site at the moment, and I am confused as to how my API could be called programmatically in this instance. 目前,Authorize标记要求用户登录我的网站,在这种情况下如何以编程方式调用我的API令我感到困惑。
I am wanting to secure the api whereby a client wanting to use it will have to provide their unique API key in order to access functionality. 我想保护api,以便要使用它的客户端必须提供其唯一的API密钥才能访问功能。 Furthermore I would like to use this API key to establish which user has called the API so that I can respond to them using only their data. 此外,我想使用此API密钥来确定哪个用户调用了该API,以便仅使用他们的数据来响应他们。
What are the steps involved in putting this in place from the early starting point I'm at (just having integrated the Web Api functionality)? 从我所处的早期出发(仅集成了Web Api功能),将其落实到位的步骤是什么?
I've been looking at and getting confused by HMAC authentication, although this does seem similar to what I'm after it seems quite complicated to implement (maybe just because I'm in a new area here) and I thought there must be a simpler way to achieve what I want? 我一直在关注HMAC身份验证,但对此感到困惑,尽管这似乎与我实施起来非常复杂(可能只是因为我位于此处的新领域)相类似,但我认为必须有一个实现我想要的更简单的方法?
A quick solution is to extend AuthorizeAttribute
and define your authentication logic there. 一种快速的解决方案是扩展AuthorizeAttribute
并在那里定义身份验证逻辑。 See this SO question for an example. 有关示例,请参见此SO问题 。
A little bit more modular approach is to create an authentication filter. 一些模块化的方法是创建一个身份验证过滤器。 See ASP.NET docs here . 在此处查看ASP.NET文档 。 This way you can separate authentication and authorization. 这样,您可以将身份验证和授权分开。
As for HMAC vs Basic authentication, I would go with the simpler Basic authentication is security is not a key component of your system. 至于HMAC与基本身份验证,我会选择简单的基本身份验证,因为安全性不是系统的关键组成部分。 This way you can ship v1.0 faster. 这样,您可以更快地发布v1.0。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.