I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.
If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?
Do they simply add (into their JSON GET/Post) something like:
[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]
I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?
Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?
Thanks for any advice/pointers,
Mark
If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:
Authorization: Basic <username:password encoded as base64>
You can find a way to implement it here.
You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms.
See my blog for an example (it is very easy to integrate with membership provider of your choice)
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.
Related
AngularJS' $http service doesn't provide for HTTP Options requests, and I very much would like to have them.
I created a Web API using Django REST framework and I'm trying to leverage all it offers me in an AngularJS web application. My Django REST api provides a plethora of data from HTTP Options requests (e.g. required fields, where to obtain connected data from via hyperlinks, etc.) and I want to leverage that in the Angular application.
However, AngularJS' $http service doesn't appear to support native Options requests which makes this a pretty annoying problem...I mean, if it isn't built-in a workaround isn't going to be pretty.
I tried restangular: definitely not what I need because it doesn't allow me to supply my hyperlinks returned in the JSON from the api, and I'll be darned if I'm parsing a URL for an 'id' - absolutely silly if I have the URL already.
I looked at the angular-django-rest library: highly unsupported and couldn't get PUTs to work for the life of me b/c there's only a $save() method, which somehow automagically selects POST/PUT (?).
So, I'm at a loss! Does anyone have any idea how to get an HTTP Options request in AngularJS?
$http supports options. Options doesn't have a function declared like $http.get() or $http.post(), but you can specify any method you want by specifying the method and passing it directly into $http.
$http({method: 'OPTIONS', url: '/foo'})
You can also use $resource:
$resource(address, {}, {options:{method:'OPTIONS'}});
I am trying to work out how to access content on this site: https://handbook.unimelb.edu.au/
I can manually conduct a search via the browser, and I am tracking the raw http request via HTTP live Headers, but having endless problems working out how the system is actually conducting search.
In particular, using the advanced search via: https://handbook.unimelb.edu.au/faces/htdocs/user/search/AdvancedSearch.jsp
Results in data similar to the following being sent:
POST /faces/htdocs/user/search/AdvancedSearch.jsp HTTP/1.1
AdvancedSearchForm%3Akeywords=&AdvancedSearchForm%3ACourseOrSubjectSelection=SUBJECT_ALL&AdvancedSearchForm%3AGraduateLevelSelection=POSTGRADUATE_ALL&AdvancedSearchForm%3AfacultyList=&AdvancedSearchForm%3AdepartmentList=&AdvancedSearchForm%3Alevel=ALL&AdvancedSearchForm%3Asemester=ALL&AdvancedSearchForm%3AallStudyAreas=t&oracle.adf.faces.FORM=AdvancedSearchForm&oracle.adf.faces.STATE_TOKEN=_id51018%3A_id51019&source=AdvancedSearchForm%3AsearchButton
The server immediately responds with "HTTP/1.1 302 Moved Temporarily" and redirects me to "Location: https://handbook.unimelb.edu.au/faces/htdocs/user/search/SearchResults.jsp"
Which actually displays the search results.
As far as I can tell, the search itself must be using a session to store the searched-for terms between the post and the subsequent get.
Is this normal JSF behaviour?
Is there a trick to accessing such a system?
Is this normal JSF behaviour?
This bahaviour is not "normal". This approach is however explainable for legacy JSF 1.x applications; it's because GET forms weren't natively supported by JSF 1.x. I would however consider this approach rather poor design and have recommended to use <managed-property> to inject GET request parameters. The webapp architect/developer has most likely not really thought it out very well. Note that since JSF 2.0, which is out for little over 3 years already, GET forms using plain HTML <form> are natively supported thanks to the new <f:viewParam> tag.
Is there a trick to accessing such a system?
Tell your HTTP client to maintain the session (read: the cookies) and auto-follow redirects. By default, JSF relies heavily on the session already as it stores the view state in there as well. This is in turn not related to the way how that webapp is designed.
See also:
How can i programmatically upload a file to a website? - related answer on how to properly programmatically submit a JSF based form.
I've been following a series of videos on how to create a web API using MVC 4. The sixth video describes the authorization process, but it is both too complex for what I want, and it somehow redirects to a form (which makes no sense to me, but then I'm new to this stuff).
I've used API's from other sites, and they usually use one of 2 methods:
a token in the url (http://myurl/api/service/?token=[bunch of characters here]
a username or password (or token) in the header
I'm leaning towards the second method, as it means I wouldn't have to add a parameter to each of my methods.
If I use this approach, do I need to add code to the beginning of each method to check the headers (request.headers?) for username/password (then find them in our database and see if they have permission to access this method)...Or is there a simpler way of doing this?
You can mark your Controller class with attribute which is derived from AthorizationFilterAttribute.
http://msdn.microsoft.com/en-us/library/system.web.http.filters.authorizationfilterattribute(v=vs.108).aspx
In this case you will not need to write authorization checks in every method, but only in one place.
This approach is well described under the following link:
http://www.tugberkugurlu.com/archive/api-key-authorization-through-query-string-in-asp-net-web-api-authorizationfilterattribute
Currently I'm working on a jQuery Mobile website which will later be transformed into an app via Titanium. I have created a RESTful JSON web service, which is running on a different server than the jQuery Mobile application. The web service is consumed via AJAX using JSONP.
One thing I find annoying is that I can't make use of HTTP error codes, because jQuery automatically aborts a JSONP call whenever the server issues an error. I can never get hold of the error code on the client side.
Another thing is that JSONP only works with the HTTP verb GET, you cannot issue a JSONP POST for example (Currently, the web service is GET only, but that could change).
Are there any alternatives to JSONP? Or is JSONP the only choice I have when using remote JSON web services with AJAX? For example, how do Twitter apps interact with the Twitter API (they have a REST API)?
Your question is a nice illustration why people complain that jquery is too easy to adopt ;)
JSONP is not ajax. There are no success and failure callbacks. JSONP is this:
put the parameters in the url
add &jsoncallback=random2745273
create a global variable random2745273 and put the callback reference in it
add <script src="theurlhere"></script> to the head
that's all you can do.
The server returns
random2745273({somedata});
and that's how your callback is called.
If you want to report errors, then your server has to generate a correct code. You will not know what HTTP headers were sent.
And this is the only way you can communicate cross-domain with an api.
Sending cross-domain communicates is also possible with generating iframes, but it's hacky and rarely used.
[edit]
Ok, that got me thinking... I could use the iframe hack to wrap over the JSONP!
And as usual - I wasn't the first to have the idea (and I'm finally humble enough to google my ideas expecting it ;) )
Here it is: http://beebole.com/en/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
awesome
[edit2]
awww, I forgot... There's another one.
window.postMessage
It already got implemented in some browsers. If you don't have to be compatible with most of the browsers, you can start using it now! :)
After some more research on postMessage I found an alternative to JSONP: AJAX via Cross-domain messaging with EasyXDM.
See http://easyxdm.net/wp/2010/03/17/cross-domain-ajax/
I'm trying to utilize the Amazon Product Advertising API. They provided me with a .wsdl file which I consumed and generated wrapper classes for via Visual Studio 2008's "Add Service Reference" option. This wrapper class works just fine as is and I've been successfully sending requests and receiving responses from Amazon.
However, they are now requiring that all partners start authenticating their requests. They have provided me with two .pem files (one which they call my X.509 certificate file, and one which they call my private key file). I'm not entirely sure what to do with these files. Amazon states the following:
Each SOAP request must be signed with the private key associated with the X.509 certificate. To create the signature, you sign the Timestamp element, and if you're using WS-Addressing, we recommend you also sign the Action header element. In addition, you can optionally sign the Body and the To header element
I realize that much more information may need to be provided here, so please let me know if I need to provide further detail in order to get an answer to this question.
Checkout this article --> http://www.byteblocks.com/post/2009/06/15/Secure-Amazon-Web-Service-Request.aspx
Looks like it should help you out.
Other links that might help:
1) http://developer.amazonwebservices.com/connect/thread.jspa?messageID=132705