ASP.net Web API RESTful Web 服务 + 基本身份验证 [英] ASP.net Web API RESTful web service + Basic authentication
问题描述
我正在使用 ASP.Net Web Api 实现 RESTful Web 服务.我已经得出结论使用基本身份验证 + SSL 来完成身份验证部分.实现它的最佳/正确方法是什么?
I'm implementing a RESTful web service using ASP.Net Web Api. I have concluded to use Basic authentication + SSL to do the authentication part. What is the best/correct way to implement that?
我的第一次尝试是手动完成,解析 Authorization 标头,根据我的数据库解码和验证用户.它有效,但我想知道我是否遗漏了什么.
My first attempt was to do it manually, parsing the Authorization header, decoding and verifying the user against my database. It works, but I wonder if I am missing something.
我见过一些使用用户角色和主体的解决方案.虽然我不确定这些实际上做了什么,但我几乎可以肯定我不需要这些,因为在我的数据库中我定义了我自己的用户和他们的角色.
I've seen some solutions using user roles and principals. While I'm not sure what these actually do, I'm almost sure I will not be needing these, since in my database I define my own users and their roles.
另外我还没有完全理解的是,服务的消费者是否必须随每个请求发送凭据,或者它们是否以某种方式被缓存.我的服务应该做些什么来实现这一点,还是完全由消费者来处理?
Also what I haven't yet completely understand, is if the consumers of the service must sent the credentials with each request or they are somehow cached. Should my service do something in order for this to happen, or it's completely up to the consumer to handle this?
最后一个关于客户使用 javascript 提出请求的问题.如果他们尝试使用该服务,是否会出现跨域请求"问题?
And a last question about clients making requests with javascript. Would there be any "cross domain request" problems if they try to use the service?
推荐答案
Jamie Kurtze 在此处很好地解释了使用基本身份验证 ASP.NET Web API REST 安全基础
Jamie Kurtze provides a good explanation of using Basic Authentication here ASP.NET Web API REST Security Basics
据我所知,如果您希望您的请求是无状态的,那么每个请求都需要设置 Authentication 字段
From my understanding, if you want your requests to be stateless then each request will require the Authentication field to be set
Jamie Kurtze 将必要的代码包装在从 DelegateHandler 派生的类中,而 Rick Strahl 使用过滤器检查调用是否有效.您可以在他关于此主题的博客文章中阅读更多内容 WebAPI 基本身份验证授权过滤器
Jamie Kurtze wraps the necessary code in a class derived from DelegateHandler, while Rick Strahl checks if the call is valid using a Filter. You can read more at his blog post on this topic at A WebAPI Basic Authentication Authorization Filter
这篇关于ASP.net Web API RESTful Web 服务 + 基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
