如何安全地使用MVC的WebAPI的OData端点？ [英] How to use a MVC WebAPI OData endpoint securely?

问题描述

我在〜/ ODATA / 定义的OData的端点，它不需要被访问，除非用户已经通过认证（事实上，你将如何保护这对于非认证用户）。

I have an OData endpoint defined at ~/odata/, which doesn't need to be accessed unless a user has been authenticated (in fact, how would you secure this for non-authenticated users).

我的设置基于角色的身份验证在web.config将此路径：

I setup role-based authentication to this path in the web.config with:

  <location path="odata">
    <system.web>
      <authorization>
        <allow roles="WaitConfirmation, etc...."/>
      </authorization>
    </system.web>
  </location>

当用户登录时，我不使用的OData端点认证（主要是因为我需要弄清楚如何确保这一点）。

When a user logs in, I don't use the OData endpoint for authentication (primarily because I need to figure out how to secure this).

我用的EntityFramework来验证用户，回报用户对象，滋润会员/角色的详细信息。

I use EntityFramework to validate the user, return the user object, and hydrate the membership/role details.

这是标准的方法，遵循让用户的数据呼叫要经过的WebAPI的路径，如果是这样，你如何确保任何请求的WebAPI请求（记住，我使用的OData）只返回相关的数据在用户登录？

Is this the standard method to follow to allow users' data calls to go through WebAPI paths, and if so, how do you ensure that any requests WebAPI requests (remember, I'm using OData) only return data related to the logged in user?

我只了解通过装饰控制器方法手段保护的OData服务（即 [可查询（每页= 10）] ）以涨停DOS攻击等，但不知道如何确保，如果一个通用参数，（即用户名= [本已登录的用户ID] ）不包括在内，包括它的所有EF的请求。

I have only read about "securing" OData services by means of decorating controller methods (ie. [Queryable(PageSize=10)]) in order to limit DOS attacks, etc, but not how to ensure that a if a common parameter, (ie. UserID=[this logged in user id]) is not included, to include it on all EF requests.

推荐答案

所以，主要的障碍让过去被认为所有的WebAPI请求（使用OData的语法）是无状态的。当然，在一个无状态的环境中，这使得这更困难。

So the major hurdle to get past is thinking that all WebAPI requests (using the OData syntax) are stateless. Of course, in a stateless environment this makes this more difficult.

不过，与端点的WebAPI通过的web.config 需要经过身份验证的（状态）担保的要求，我们应该能够抓住用户名（或用户ID或任何其他自定义使用自定义成员资格提供程序时），通过类似性质 VAR用户id =（（CustomIdentity）HttpContext.Current.User.Identity）.UserId 。

However, with the WebAPI endpoint secured through web.config requiring an authenticated (stateful) request, we should be able to grab the UserName (or UserID or any other custom property when using a custom membership provider), by something like var userId = ((CustomIdentity)HttpContext.Current.User.Identity).UserId.

这种关系一旦建立，我们将需要添加类似其中userid =用户id;在发出请求之前：

Once this is established, we will need to add something like "WHERE UserID = userId;" before the request is issued:

        var unitOfWork = new Repository.UnitOfWork(_db);

        var users = options.ApplyTo(unitOfWork.Repository<MyTable>().Queryable
            .Include(w => w.NavigationProperty1)
            .Where(u => u.UserId == UserContext.Identity.UserId)
            .OrderBy(o => o.SomeProperty))
            .Cast<MyTable>().ToList();

其他建议表示欢迎。

这篇关于如何安全地使用MVC的WebAPI的OData端点？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！