ValidateAntiForgeryToken如何与可通过Web或本机应用程序访问的Web API配合使用? [英] How does ValidateAntiForgeryToken fit with Web APIs that can be accessed via web or native app?
问题描述
我试图了解如何使用ASP.NET Web API来制作API,该API会受到保护,免受
I'm trying to understand how I will be able to craft an API using ASP.NET Web API which will be protected from CSRF, while still being accessible from non-web environments (e.g. native mobile applications).
我首先想到的是,非Web环境永远无法成功通过防伪令牌验证,因为它没有张贴的表单.这是真的?有什么方法可以使验证工作?
My first thought would be that a non-web environment can never successfully pass an anti-forgery token validation, since it doesn't have a form that is posted. Is this true? Is there any way to make validation work?
如果没有验证方法,我的第二个想法是提供一个API,该API可以验证针对网络调用的伪造令牌,而不是针对非网络调用的伪造令牌.但是,看来攻击者同样可以轻松地使用此非网络" API进行CRSF攻击,对吧?
If there isn't a way to validate, my second thought is to offer an API which validates anti-forgery tokens for web calls but not for non-web calls. However, it seems like an attacker would just as easily be able to use this "non-web" API for a CRSF attack, right?
答案是非Web API仅需要支持非Web身份验证机制(OAuth?),以便不能通过浏览器重播对它的请求吗?还是有更简单的方法?
Is the answer that the non-web API needs to only support a non-web authentication mechanism (OAuth?), so that requests to it cannot be replayed via a browser? Or is there a simpler way?
如果那是唯一的方法,是否有一种简单的方法可以关闭所有不安全的身份验证机制?在ASP.NET Web API中是否应该有一条简单/快乐的路径来支持这些方案?
If that's the only way, is there an easy way to turn off all of the insecure authentication mechanisms? Shouldn't there be a somewhat simple/happy path in ASP.NET Web API to support these scenarios?
推荐答案
仅当您使用持久身份验证机制(例如cookie,基本身份验证,NTLM等)时,CSRF才成为问题.Mike Wasson具有
CSRF only becomes a problem when you are using a persistent auth mechanism such as cookies, basic auth, NTLM etc. Mike Wasson has an example of using CSRF against webapi in Javascript - and I've seen versions in DelegatingHandlers ....
由于CSRF只是Web场景中的一个问题,因此您可以说实际上没有必要检查非Web请求.来自浏览器的每个ajax请求,无论是通过jquery,本机XmlHttpRequest类还是任何带有标头的东西-X-Requested-With,其值都为XMLHttpRequest.因此,您可以将CSRF检查限制为仅带有该标头的请求,因为没有它的任何内容都必须来自浏览器之外.
As CSRF is only a problem in web scenarios you can argue there's no real need to check for non-web requests. Every ajax request from a browser, whether via jquery, the native XmlHttpRequest classes or whatever comes with a header - X-Requested-With, which will have a value of XMLHttpRequest. So you could limit your CSRF checks to just requests with that header, as anything without it must have come from outside a browser.
前面已经说过,如果要进行身份验证,我将研究某种共享的机密或OAuth机制,并使用DelegatingHandler服务器端进行验证,然后在Web应用程序中将令牌放在可以进行验证的位置可以通过javascript提取并通过X-Authentication标头发送-由于它不是持久性的,因此需要附加到每个请求(就像CSRF令牌一样),因此没有CSRF问题.Dominick和以往一样文档很好.
这篇关于ValidateAntiForgeryToken如何与可通过Web或本机应用程序访问的Web API配合使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
