I found great article about client/server implementation via Self Host Web API
http://www.asp.net/web-api/overview/older-versions/self-host-a-web-api
And I am wondering about the correct authentication method for this model (Self Host Web API ).
Have I use a bearer token authentication? Is there any other method?
Or for example http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have following working requirements:
C# http client must connect to Self Host Web API Windows Service and send files.
The connection must be secure 100%.
So how to protect WebAPI, any clue?
Have you checked this answer?
ASP.NET Web API Self-Host with Windows Authentication
Looks like is working quite well with Windows Authentication.
BTW, Bearer it's probably more flexible, but it depends on your needs.
BTW(2): HTTPS is a must if you want to achive an high level of security, but 100% looks veeery high :)
Related
I am building Web API with ASP.NET Core hosted on IIS that will act as proxy integrating a few services.
I need to forward user credentials/identity to specific services managed by my API and to do so i want to enable ticket forwarding in Kerberos.
What steps i need to take to make it work?
First of all I need to setup my service as trusted in KDC and after that should it will received forwardable tickets instead of regular ones (i need to specific services that my API can forwards tickets to), am i right?
How do i then forward that ticket to other service using HttpClient?
Does attaching received token to request will be enough?
Am i correct about listed by me steps and is there any thing more to do?
Thank you all for help.
I have a ASP.Net WebAPI service that is used by my AngularJS front end and I am making use of Owin and bearer token.
Now there is a need that we need to install an agent on the few of the client machines (developed in .Net core mostly) that is able to connect to our application and make similar calls. I can create a separate controller for this need, but want to host it in the same website.
How can I create a secure connection between this agent and the ASP.Net server hosted on Azure?
Currently I am looking at generating a Token during the agent installation based on the client MAC address and giving it with each call, but I am checking if there are any better way to address this need.
Any help in this direction is welcome.
Regards
Kiran
It seems that you’d like to enable only valid “agents” that installed on the client machines to communicate with your server, if that is the case, Azure AD provides Native Application to Web API authentication scenario (a native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD), you could refer to it.
I have a uwp application and an ASP Core server application. I want to perform Get and Post requests to the ASP server and I want to perform authorization on the server side.
According to the team, they don't want you to use Basic authentication nor seems there be a way to perform digest Authentication. I don't want my client app to show the user any ui: it should be able to perform a secure request by itself.
So: what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
I'd like to say this is a open question and I will give some suggestions and hope it can help you. Basic authentication and digest authentication you mentioned are defined in rfc2617. Since you don't want to use them, besides HTTP Basic/Digest you may have other choices like OAuth, HMAC and Azure API Management.
Since you don't want the user to input username and password, to request an access token for authentication may meet your requirements. So I recommend you to use OAuth authentication which is popular. More details about OAuth2.0 please reference this. But it requires OAuth server, it may not be a easiest way.
Another way you can apply HMAC authentication to secure Web Api. HMAC authentication uses a secret key for each consumer. For more details about HMAC authentication please reference this thread. For more details about HMAC in uwp please reference MACs, hashes, and signatures.
You can also use third party tools from Azure. Azure API management can help secure and optimize your APIs. Details please reference the Publishing and securing access to REST APIs in uwp.
I am trying to test a simple scenario in my development machine wherein I have a service which is configured on basicHttpbinding. I am trying to use CustomUserNamePasswordValidator and have configured Security level as "TransportWithMessageCredential"
Now, when I test the service with a web client (both service and client on Asp.net development server), service completely ignores the validator and simply returns the data, although I am passing wrong credentials from my client.
Is it because I am using VS Development Server ?
Is use of SSL over HTTP manadatory when we use TransportWithMessageCredentials. Is there an alternative wherein I need not use Https ?
WCF does not support any configurations out of the box which would permit transmission of unsecured credentials.
We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?
You can leverage ASP.Net's built in session management by decorating your webmethods with
<EnableSession()>
Then, inside your method, you can check that the user still has a valid session.
If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.
If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.
Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.
You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'
If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.
That way you could restrict the access and have different swf file depending on the user.