通过REST服务会员/授权 [英] Membership / Authorization over a REST service

问题描述

我调查创造一个现有的asp.net应用程序一个WCF REST服务，通过各种客户端，包括Windows Phone的消耗7，Android设备，iPhone应用程序等。

I'm investigating creating a WCF REST service for an existing asp.net application to be consumed by various clients including Windows Phone 7, Android, iPhone apps etc.

创建一个简单的WCF REST服务，并从上面的平台上消费它是不是一个问题，确实很好。我很努力身边让我的头是授权。

Creating a simple WCF REST service and consuming it from the above platforms is not a problem and works really well. What I am struggling to get my head around is authorization.

在asp.net应用程序使用的会员提供者提供认证和授权，我在使用API​​从REST服务舒服。

The asp.net application uses the Membership provider to provide authentication and authorization and I'm comfortable in using that API from the REST service.

我如何保护我的REST服务，使第一次调用必须进行身份验证（通过用户名和密码），下面的调用知道是谁'登录'。我猜authenticate方法将必须传回某种令牌在后续调用识别呼叫者使用。这是足够安全作为整个网站/服务是通过SSL？

How do I secure my REST service so that the first call has to be to authenticate (passing the username and password) and following calls know who is 'logged in'. I'm guessing the authenticate method will have to pass back some sort of token to be used in subsequent calls identifying the caller. Is this secure enough as the whole site / service is over SSL?

任何建议表示欢迎。

推荐答案

在一般令牌的方法是更好然后就在每个请求发送用户名+密码（基本身份验证）。问题是要正确实现它：当基本身份验证是很容易实现，实际上它已经被大多数的应用程序和Web服务器上实现，令牌是你需要实现自己 - 它必须被加密，因此赢得客户不懂，所以你需要一些按键的管理，还必须有一定的有效期限，可能是你需要一些撤销功能。结果
此外，它将使客户的生活困难：不是只是基本认证头连接到每个请求，客户端必须首先去一些身份验证点，收到有效拍摄，然后使用该令牌的请求。如果令牌到期后，客户端需要重新去验证点。

In general the token approach is better then just sending username+password (Basic Authentication) in each request. The problem is to implement it correctly: while Basic Authentication is very easy to implement, and actually it's already implemented by most application and web servers, the token is something you'll need to implement yourself - it must be encrypted, so clients won't understand it, so you'll need some keys management, it also must have some expiration date and may be you'll want some revoke functionality.
In addition, it will make client's life harder: instead of just attaching basic authentication header to each request, client must first go to some authentication point, receive a valid taken and then use the token on the requests. If the token expires, the client will need to go to the authentication point again.

所以，如果你有时间和知识，和您的客户是聪明的，最好是用令牌的方法。否则使用SSL，基本身份验证就足够了。

So if you have time and knowledge, and your clients are smart, it's better to use the token approach. Otherwise with SSL, basic authentication should be sufficient.

这篇关于通过REST服务会员/授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！