The login page described earlier only protects our Markdown content, not our dynamic web services. If you know the resource names of the web services, you can still extract all sensor data and control the actuator output, unauthenticated. To avoid this, we need to add an authentication layer on top of our web services. We can do this by using JWT (Java Web Tokens). These tokens are simple strings that are cryptographically signed by a server, and that can be easily transported in any type of machine-to-machine communication where you want to avoid sessions and login forms. The server can then validate the token by checking the signature. By adding the
Waher.Security.JWT.UWP NuGet package to our
ActuatorHttp projects, we can use JWT to protect our web services.
For .NET standard, .NET Core, or traditional .NET Framework projects, you can use the
Waher.Security.JWT NuGet instead.