从Azure WebJob安全调用WebSite托管的Web API [英] Securely calling a WebSite hosted Web API from an Azure WebJob
问题描述
我有一个连续计划的Web作业,它监视消息队列,拉出消息并在对等网站上调用Web API来处理消息(在这种情况下,使用SignalR向适当的用户发送通知).
I have a continuously scheduled web job that's monitoring a message queue, pulling messages off and calling a Web API on the peer Web Site to process the messages (in this case using SignalR to send notifications to appropriate users).
在这种情况下,安全调用Web API的最佳方法是什么?网站上托管的API显然已公开.也许是使用Basic Auth或在配置中存储安全令牌并将其从作业传递到Web API的某种方式.还是创建自定义AuthorizeAttribute?
What would be the best way in this case to call the web API securely? The API being hosted in the web site is obviously exposed otherwise. Perhaps something using Basic Auth or storing a security token in config and passing it from the job to the web API. Or creating a custom AuthorizeAttribute?
对于保护来自WebJob的Web API调用的想法,将不胜感激.该API应该只能从WebJob调用.
Ant thoughts on securing the Web API call from the WebJob would be much appreciated. The API should only be callable from the WebJob.
更新: 也许是这样的事情?
UPDATE: Something like this perhaps?
首先,我声明此类;
public class TokenAuthenticationHeaderValue : AuthenticationHeaderValue
{
public TokenAuthenticationHeaderValue(string token)
: base("Token", Convert.ToBase64String(Encoding.UTF8.GetBytes(token)))
{ }
}
然后,调用方(Web作业)在发出HTTP请求时使用此类来设置auth标头;
Then the caller (the WebJob) uses this class to set an auth header when making the HTTP request;
using (var client = new HttpClient())
{
client.BaseAddress = new Uri(/* something */);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new TokenAuthenticationHeaderValue("TOKEN FROM CONFIG");
// ....
在Web API中,我们检查了请求,以在auth标头中查找所需的令牌,当前代码很丑陋,但是可以将其放入自定义属性中;
Over in the Web API we check the request looking for the expected token in the auth header, currently the code is pretty ugly but this could be put into a custom attribute;
public HttpResponseMessage Post([FromBody]TheThing message)
{
var authenticationHeader = Request.Headers.Authorization;
var token = Encoding.UTF8.GetString(Convert.FromBase64String(authenticationHeader.Parameter));
if (authenticationHeader.Scheme != "Token" || token != "TOKEN FROM CONFIG")
{
return Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "No, no, no. That's naughty!");
}
// All OK, carry on.
通过这种方式,WebJob调用对等网站上的Web API,并通过传递安全地保存在Azure配置中的令牌来实现安全性,站点和作业都可以访问此令牌.
So this way the WebJob calls the Web API on the peer web site and security is achieved by passing a token that is securely held in the Azure configuration, both the Site and Job have access to this token.
还有更好的主意吗?
推荐答案
像基本身份验证"之类的声音对于您的情况而言是合适的.
Sounds like Basic Authentication would be fine for your scenario.
很棒的教程在这里:基本身份验证
这篇关于从Azure WebJob安全调用WebSite托管的Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
