stackoom
  简体   繁体   中英

ASP.NET WebAPI client authorization in a distributed application

 原文  2013-09-30 22:57:47       wcf/ security/ asp.net-web-api/ authorization/ n-tier-architecture

Question

I am creating a distributed application which will use ASP.NET Web API to support a Single-Page web Application (SPA) and other potential native mobile app platforms. My current architecture uses Thinktecture Identity Server as a STS which will provide authorization tokens for my clients to use to access the WebAPI. In the backend I will have persistence and business logic which will be exposed by a WCF service in a separate app domain from my WebAPI. The WebAPI will call the service layer to access data and perform actions on the domain.

My question is around authorization . I will be using Claims Based Authorization and can augment the list of claims from domain data held about the user from my WCF exposed business layer. But where should I carry out the authorization? With .NET 4.5, ASP.NET now has an extensible model to enable me to separate out authorization logic from my controllers into a separate authorization module - using the ClaimsAuthorizationManager. Also, Thinktecture.IdentityModel does a really good job of providing all the plumbing to do this within my WebAPI application. However, I cannot help thinking that the authorization logic should be sitting in my business layer, behind the WCF service, and that the client-facing WebAPI should not be tasked with enforcing this. Should I require other client facing hosted apps to consume my WCF based business layer, then they would also need to implement security code. On the downside, it does mean that an unauthorized request gets quite far into the application before being rejected.

Question : should I use the Claims based authorization capabilities in ASP.NET or should I wrap authorization around my business layer behind the WCF service?

1 answers

solution1
 1  2013-10-01 16:42:39

When possible, you should always try to use the authorization tools the framework you use gives you. In Microsoft's case, it's claims-based authorization. The benefit is that you're isolating your authorization logic in a layer of its own rather than within your business logic.

Claims-based authorization is one of many approaches to authorization. Another would be to use XACML. I recently gave a talk on XACML for developers (albeit Java developers). You can read more about it here . I also wrote an article on .NET and XACML which you can check out here .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF Client in ASP.NET Application Silverlight and ASP.NET authorization ASP.NET WEBAPI Internal/External Usage ASP.NET Client Application Services Authentication and WCF WCF ChannelFactory and Channel caching in ASP.NET client application How to use WCF client in ASP.NET application? How to consume a ASP.NET Core WebAPI in a C# UWP application? wcf authorization (request filtering) from asp.net forms auth client WCF Service Get Data From Client Application And Send to Web Application (Asp.NET) chat application in asp.net
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM