在.Net中保护Web API [英] Securing Web API in .Net

查看:66
本文介绍了在.Net中保护Web API的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在实现一个Web API,我可以使用不同的角色。我有下面的场景需要保护,



例如我有一个方法,说GetEmployeesDetails(ids),我在那里获取所有员工的详细信息在通过id访问方法(登录用户)的用户下,我验证访问授权属性方法的用户。现在假设我有另一个有效的用户,他下面有一些其他员工,但是他攻击系统并提供一些不同的ID作为方法的输入,该方法将响应数据。我想验证提供的输入不能被篡改或以某种方式验证id是否在当前访问该方法的用户下。有没有人遇到过这种情况?在这方面的任何帮助将不胜感激。



谢谢



我尝试过:



我已经验证了访问该方法的用户是否有权访问输入中提供的ID的数据,但这增加了开销工作流程,是否有任何全局概念我可以实现来处理这种情况。这个API将是公开的,因此安全性是主要关注点

I'm implementing a Web API where I have different roles available. I have the below scenario which needs to be secured,

For example I have a method which says GetEmployeesDetails(ids), where I fetch the details of all the employees who are under the user who is accessing the method (logged in user) by the ids, I validate the user accessing the method Authorise Attribute. Now say suppose I have another valid user who has some other employees under him, but he hacks the system and provide some different ids as input to the method, the method will respond with the data. I want to validate that the input provided cannot be tampered or somehow validate whether the ids are under the user currently accessing the method. Has anyone come across such a scenario ? Any help in this regard will be appreciated.

Thanks

What I have tried:

I have validated the user accessing the method with whether he is authorised to access the data for the ids provided in input, but this adds to overhead to the workflow, is there any global concept which I can implement to handle such scenarios. This API will be public hence security is the major concern

推荐答案

有几种方法可以实现。简单的两个是:



1.在业务层中,在返回数据之前,检查当前用户提供的ID是否有效。



2.自定义授权过滤器。

编写自己的自定义ASP.Net MVC [授权]属性 - 忍者日记 [ ^ ]



您还可以将参数传递给自定义属性。这将使您能够在需要时有条件地执行逻辑块。

c# - 如何添加'传递参数'自定义AuthorizeAttribute - Stack Overflow [ ^ ]
There are a few ways to get there. The easy two are:

1. In the business layer, before returning data, check if the ids provided by the current user is valid or not.

2. Customize the Authorize filter.
Writing your own custom ASP.Net MVC [Authorize] attributes - Diary Of A Ninja[^]

You can also pass parameters to your custom attribute. This will enable you to conditionally execute logic blocks if needed.
c# - How to add 'pass parameter' to custom AuthorizeAttribute - Stack Overflow[^]


这篇关于在.Net中保护Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆