[英]How to implement the same authentication mechanism for both the asp.net mvc and web API
Goal is to create an api that can be shared by native mobile devices (ios, android, win phone) as well as web applications with various presentation layers (asp.net core MVC, angular). 目标是创建一个可以由本机移动设备(iOS,Android,Win Phone)以及具有各种表示层(asp.net核心MVC,Angular)的Web应用程序共享的api。
Planning on using asp.net core web api for implementing a REST api that will be used by the mobile clients as well as javascript clients. 规划使用asp.net核心Web API来实现将由移动客户端以及javascript客户端使用的REST API。 My question is since other presentation layers like asp.net MVC will be used where ideally should security logic be placed? 我的问题是,将在理想情况下将安全逻辑放在哪里使用其他表示层(如asp.net MVC)? If we add the checks in the REST api then the asp.net MVC application controllers would have to call the REST web api using HttpClient instead of just referencing the business layer (shared class library). 如果我们在REST api中添加检查,那么asp.net MVC应用程序控制器将不得不使用HttpClient调用REST Web api,而不仅仅是引用业务层(共享类库)。
The authentication of each application will be handled by json web tokens as they are mobile friendly and can scale easily. 每个应用程序的身份验证将由json网络令牌处理,因为它们易于移动并且可以轻松扩展。 So my question is really about the authorization security and where it lives. 所以我的问题确实是关于授权安全性和它的安全性。
Option 1: 选项1:
web api (security lives here) > business/service layer > data access layer > data layer Web API(安全性生活在这里)>业务/服务层>数据访问层>数据层
Option 2: web api > business/service layer (security lives here) > data access layer > data layer 选项2:Web API>业务/服务层(安全存在于此处)>数据访问层>数据层
In option 1 this is fine for mobile and client front-ends as they have to call the REST api, but the asp.net core MVC would have to use HttpClient to call the REST api instead of calling the shared class library that makes up the buinsess/service layer. 在选项1中,这对于移动端和客户端前端来说非常合适,因为它们必须调用REST API,但是asp.net核心MVC必须使用HttpClient来调用REST api,而不是调用组成该类的共享类库。业务/服务层。
In option 2 all the REST api is responsible for is to call into the business/service layer where the security is handled there. 在选项2中,所有REST api所负责的就是调用在其中处理安全性的业务/服务层。
Sounds like you're aiming to build a Public API. 听起来您的目标是构建公共API。 This should be standalone and handle security by itself - the MVC website is just another client (that might happen to live in the same solution), but ideally you shouldn't have too many references between them (basically just the API contract). 这应该是独立的,并且可以单独处理安全性-MVC网站只是另一个客户端(可能恰好生活在同一解决方案中),但理想情况下,它们之间不应有太多引用(基本上只是API合同)。 This way you'd also be able to catch broken backwards compatibility issues earlier, instead of the MVC site always working in a strongly typed manner (even through refactorings), while the other (especially mobile clients) wouldn't - you'll have to resort to versioning the API. 这样,您还可以更早地捕获到向后的向下兼容性问题,而不是MVC站点始终以强类型(即使通过重构)工作,而其他(尤其是移动客户端)则不会-您将拥有求助于API版本。
Performance really shouldn't be an issue if you take certain measures on the server side (eg caching), there's tons of APIs that work in this fashion. 如果您在服务器端采取某些措施(例如,缓存),那么性能确实不应该成为问题,因为大量API都以这种方式工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.