如何保护我的Web API - 与Android / iOS应用MVC4 [英] How to secure my Web API - MVC4 with Android/iOS apps
问题描述
我一直在所以这里读了不少问题,如何保护网络的API使用API密钥,令牌,HMAC等并没有发现我要找的答案。
I've been reading quite a few questions here on SO about securing web api's using api keys, tokens, hmac ect and haven't found the answer I am looking for.
我的工作与Internet和Intranet站点,网络API和Android / iOS的应用程序的MVC4 Web应用程序项目。
I'm working on a MVC4 web application project with internet and intranet sites, web api and Android/iOS applications.
在Web API是被我的应用程序和其他人作为它将访问敏感数据
The Web API is to be used by my applications and nobody else as it will be accessing sensitive data.
什么是所以只能保证这个API我的应用程序可以使用它的最佳方式?一些似乎是这样一个简单的请求是极难上手的。
What would be the best way of securing this api so only my apps can use it? Something that seems like such a simple request is extremely difficult to get started on.
我在后看着这里所以使用HMAC和其他几个人,但没有人听起来像他们将适合在这里,很可能我只是缺少更多的东西。
I've looked at the post here on SO using HMAC and a few others but none of them sounded like they would fit here, more than likely I am just missing something.
是HMAC要走的路或将客户端证书更适合于这种情况呢?
Is HMAC the way to go or would client certificates be more appropriate for this situation?
我应该使用SSL和某种API密钥的?
Should I use SSL and some sort of API key?
我知道这个问题有点含糊,我在它的眼前了一个多小时试图找出如何字我在想什么,所以我想我会只是它张贴和更新如果需要的话...: (
I know the question is a bit vague, I've been staring at it for over an hour trying to figure out how to word what I am thinking so I figured I would just post it and update if needed... :(
我会更乐意根据要求提供更多的细节。
I would be more than happy to provide more details upon request.
推荐答案
生成的每个应用的关键,并让他们在传递每个请求为令牌的关键。然后,您的服务器可以验证密钥和验证请求。
Generate a key for each of your apps and have them pass the key in each request as a token. Your server can then verify the key and authenticate the request.
看看在基本身份验证模块从ASP.NET网站。该示例使用基本的授权方案,但你可以改变它使用'令牌'代替。
Take a look at the Basic Authentication module from the ASP.NET site. The sample uses 'basic' as the authorization scheme but you can change it use 'token' instead.
private static void OnApplicationAuthenticateRequest(object sender, EventArgs e)
{
var request = HttpContext.Current.Request;
var authHeader = request.Headers["Authorization"];
if (authHeader != null)
{
var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);
// RFC 2617 sec 1.2, "scheme" name is case-insensitive
if (authHeaderVal.Scheme.Equals("token",
StringComparison.OrdinalIgnoreCase) &&
authHeaderVal.Parameter != null)
{
AuthenticateUser(authHeaderVal.Parameter);
}
}
}
一旦你的基本认证模块的地方,你可以简单地装饰与授权属性的任何动作和控制器,它会请求转发到基本验证处理程序。
Once you have the Basic Auth module in place you can simply decorate any actions or controllers with the Authorize attribute and it will forward the request to the Basic Auth handlers.
namespace webapi.Controllers
{
[Authorize]
public class SensitiveDataController : ApiController
{
...
}
}
至于对你的的电线必须使用基本身份验证时,您的主要会以明文传输使用SSL。
As far as over the wire you MUST use SSL when using basic authentication as your key will be transmitted in plain text.
这篇关于如何保护我的Web API - 与Android / iOS应用MVC4的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
