如何保证一个ASP.NET Web API [英] How to secure an ASP.NET Web API

问题描述

我想建立一个 REST风格的使用Web服务的ASP.NET Web第三方开发者将用来访问我的应用程序的数据的API。

I want to build a RESTful web service using ASP.NET Web API that third-party developers will use to access my application's data.

我读过不少关于的OAuth ，它似乎是标准的，但要找到与文档解释它是如何工作的一个很好的样本（这实际上是不工作！）似乎是令人难以置信困难的（尤其是对于一个新手到OAuth）。

I've read quite a lot about OAuth and it seems to be the standard, but finding a good sample with documentation explaining how it works (and that actually does work!) seems to be incredibly difficult (especially for a newbie to OAuth).

有没有真正建立和运作，并演示如何实现这一个样本？

Is there a sample that actually builds and works and shows how to implement this?

我已经下载了大量的样本：

I've downloaded numerous samples:

• DotNetOAuth - 文档从新手的角度来看无望


• Thinktecture - 不能让它建

我也看了博客暗示一个简单的基于令牌的方案（如此） - 这似乎是重新发明轮子，但它确实有被利用的概念相当简单

I've also looked at blogs suggesting a simple token-based scheme (like this) - this seems like re-inventing the wheel but it does have the advantage of being conceptually fairly simple.

这似乎也有这样的许多问题上的SO，但没有很好的答案。

It seems there are many questions like this on SO but no good answers.

什么是每个人都在这个空间里做什么？

What is everybody doing in this space?

推荐答案

我们已成功地应用于HMAC验证来保护网页API和它的工作好了。基本上，HMAC认证为每个消费者使用其消费和服务器都知道HMAC散列消息的密钥，HMAC256应该被使用。大多数情况下，消费者的哈希密码被用作秘密密钥。

We have managed to apply HMAC authentication to secure Web Api and it worked okay. Basically, HMAC authentication uses a secret key for each consumer which both consumer and server both know to hmac hash a message, HMAC256 should be used. Most of cases, hashed password of consumer is used as secret key.

该消息通常从HTTP请求数据，或者加入到HTTP头甚至自定义的数据构建，消息可能包括：

The message normally is built from data in the HTTP request, or even customized data which is added into HTTP header, message might include:

1. 时间戳：时间请求发送（UTC或GMT时间）


2. HTTP动词：GET，POST，PUT，DELETE


3. 后的数据和查询字符串，


4. 网址

引擎盖下，HMAC认证将是：

Under the hood, HMAC authentication would be:

消费者发送一个HTTP请求到Web服务器，构建签名（HMAC哈希的输出），HTTP请求的模板之后：

Consumer sends a HTTP request to web server, after building the signature (output of hmac hash), the template of HTTP request:

User-Agent: {agent}   
Host: {host}   
Timestamp: {timestamp}
Authentication: {username}:{signature}

举例GET请求：

Example for GET request:

GET /webapi.hmac/api/values

User-Agent: Fiddler    
Host: localhost    
Timestamp: Thursday, August 02, 2012 3:30:32 PM 
Authentication: cuongle:LohrhqqoDy6PhLrHAXi7dUVACyJZilQtlDzNbLqzXlw=

该消息散列得到签名：

The message to hash to get signature:

GET\n
Thursday, August 02, 2012 3:30:32 PM\n
/webapi.hmac/api/values\n

实施例用于与查询字符串POST请求（下面签名是不正确的，只是一个例子）

Example for POST request with querystring (signature below is not correct, just an example)

POST /webapi.hmac/api/values?key2=value2

User-Agent: Fiddler    
Host: localhost    
Content-Type: application/x-www-form-urlencoded
Timestamp: Thursday, August 02, 2012 3:30:32 PM 
Authentication: cuongle:LohrhqqoDy6PhLrHAXi7dUVACyJZilQtlDzNbLqzXlw=

key1=value1&key3=value3

该消息散列得到签名

The message to hash to get signature

GET\n
Thursday, August 02, 2012 3:30:32 PM\n
/webapi.hmac/api/values\n
key1=value1&key2=value2&key3=value3

请注意，表单数据和查询字符串应该是为了，所以服务器的code得到查询字符串和表单数据构建正确的消息。

Please note that form data and query string should be in order, so the code on server get querystring and form data to build correct message.

在HTTP请求到达服务器，认证行为过滤器实现解析请求来获取信息：HTTP动词，时间戳，URI，表单数据和查询字符串，然后根据这些来构建签名（使用HMAC哈希值）与在服务器上的密钥（哈希密码）。

When HTTP request comes to server, an authentication action filter is implemented to parse the request to get information: HTTP verb, timestamp, uri, form data and query string, then based on these to build signature (use hmac hash) with secret key (hashed password) on the server.

该密钥是从数据库得到了与该请求的用户名。

The secret key is got from database with username on the request.

然后服务器code上，内置的签名，如果相等，验证通过，否则失败。

Then server code compares the signature on the request with the signature built, if equal, authentication is passed, otherwise, it failed.

在code建立签名：

private static string ComputeHash(string hashedPassword, string message)
{
    var key = Encoding.UTF8.GetBytes(hashedPassword.ToUpper());
    string hashString;

    using (var hmac = new HMACSHA256(key))
    {
        var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(message));
        hashString = Convert.ToBase64String(hash);
    }

    return hashString;
}

那么，如何prevent重放攻击？

So, how to prevent replay attack?

添加约束的时间戳，是这样的：

Add constraint for the timestamp, something like:

servertime - X minutes|seconds  <= timestamp <= servertime + X minutes|seconds 

（servertime：正在添加的请求到服务器的时间）

(servertime: time of request comming to server)

和，缓存在内存要求签名（使用的MemoryCache，应该保持在时间限制）。如果下一个请求到达与previous要求相同的签名，将被拒绝。

And, cache the signature of request in memory (use MemoryCache, should keep in limit of time). If the next request comes with the same signature with previous request, it will be rejected.

演示code作为放在这里：
https://github.com/cuongle/Hmac.WebApi

The demo code is put as here: https://github.com/cuongle/Hmac.WebApi

这篇关于如何保证一个ASP.NET Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！