Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying ASP.NET Web API Security Essentials
  • Table Of Contents Toc
  • Feedback & Rating feedback
ASP.NET Web API Security Essentials

ASP.NET Web API Security Essentials

By : Gunasundaram
2.3 (3)
Buy this Book
close
close
ASP.NET Web API Security Essentials

ASP.NET Web API Security Essentials

2.3 (3)
By: Gunasundaram
Buy this Book

Overview of this book

This book incorporates the new features of ASP.NET Web API 2 that will help you to secure an ASP.NET Web API and make a well-informed decision when choosing the right security mechanism for your security requirements. We start by showing you how to set up a browser client to utilize ASP.NET Web API services. We then cover ASP.NET Web API’s security architecture, authentication, and authorization to help you secure a web API from unauthorized users. Next, you will learn how to use SSL with ASP.NET Web API, including using SSL client certificates, and integrate the ASP.NET Identity system with ASP.NET Web API. We’ll show you how to secure a web API using OAuth2 to authenticate against a membership database using OWIN middleware. You will be able to use local logins to send authenticated requests using OAuth2. We also explain how to secure a web API using forms authentication and how users can log in with their Windows credentials using integrated Windows authentication. You will come to understand the need for external authentication services to enable OAuth/OpenID and social media authentication. We’ll then help you implement anti-Cross-Site Request Forgery (CSRF) measures in ASP.NET Web API. Finally, you will discover how to enable Cross-Origin Resource Sharing (CORS) in your web API application.
Table of Contents (11 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. Setting up a Browser Client
chevron up
Icon
1. Setting up a Browser Client
Icon
ASP.NET Web API security architecture
Icon
Setting up your browser client
Icon
Authentication and authorization
Icon
Implementing authentication in HTTP message handlers
Icon
Setting the principal
Icon
Using the [Authorize] attribute
Icon
Custom authorization filters
Icon
Authorization inside a controller action
Icon
Summary
2
2. Enabling SSL for ASP.NET Web API
Icon
2. Enabling SSL for ASP.NET Web API
Icon
Enforcing SSL in a Web API controller
Icon
Using client certificates in Web API
Icon
Summary
3
3. Integrating ASP.NET Identity System with Web API
Icon
3. Integrating ASP.NET Identity System with Web API
Icon
Creating an Empty Web API Application
Icon
Installing the ASP.NET Identity NuGet packages
Icon
Setting up ASP.NET Identity 2.1
Icon
Defining Web API Controllers and methods
Icon
Summary
4
4. Securing Web API Using OAuth2
Icon
4. Securing Web API Using OAuth2
Icon
Hosting OWIN in IIS and adding Web API to the OWIN pipeline
Icon
Individual User Account authentication flow
Icon
Sending an unauthorized request
Icon
Get an access token
Icon
Send an authenticated request
Icon
Summary
5
5. Enabling Basic Authentication using Authentication Filter in Web API
Icon
5. Enabling Basic Authentication using Authentication Filter in Web API
Icon
Basic authentication with IIS
Icon
Basic authentication with custom membership
Icon
Basic authentication using an authentication filter
Icon
Setting an authentication filter
Icon
Implementing a Web API authentication filter
Icon
Setting an error result
Icon
Combining authentication filters with host-level authentication
Icon
Summary
6
6. Securing a Web API using Forms and Windows Authentication
Icon
6. Securing a Web API using Forms and Windows Authentication
Icon
Working of Forms authentication
Icon
Implementing Forms authentication in Web API
Icon
What is Integrated Windows Authentication?
Icon
Advantages and disadvantages of using the Integrated Windows Authentication mechanism
Icon
Configuring Windows Authentication
Icon
Difference between Basic Authentication and Windows authentication
Icon
Enabling Windows authentication in Katana
Icon
Summary
7
7. Using External Authentication Services with ASP.NET Web API
Icon
7. Using External Authentication Services with ASP.NET Web API
Icon
Using OWIN external authentication services
Icon
Implementing Facebook authentication
Icon
Implementing Twitter authentication
Icon
Implementing Google authentication
Icon
Implementing Microsoft authentication
Icon
Discussing authentication
Icon
Summary
8
8. Avoiding Cross-Site Request Forgery Attacks in Web API
Icon
8. Avoiding Cross-Site Request Forgery Attacks in Web API
Icon
What is a CSRF attack?
Icon
Anti-forgery tokens using HTML Form or Razor View
Icon
Anti-forgery tokens using AJAX
Icon
Summary
9
9. Enabling Cross-Origin Resource Sharing (CORS) in ASP.NET Web API
Icon
9. Enabling Cross-Origin Resource Sharing (CORS) in ASP.NET Web API
Icon
What is CORS?
Icon
How CORS works
Icon
Setting the allowed origins
Icon
Setting the allowed HTTP methods
Icon
Setting the allowed request headers
Icon
Setting the allowed response headers
Icon
Passing credentials in cross-origin requests
Icon
Enabling CORS at various scope
Icon
Summary
10
Index
Icon
Index

Implementing authentication in HTTP message handlers

For a self-hosted web API, the best practice is to implement authentication in an HTTP Message Handler. The principal will be set by the message handler after verifying the HTTP request. For a web API that is self-hosted, consider implementing authentication in a message handler. Otherwise, use an HTTP module instead.

The following code snippet shows an example of basic authentication implemented in an HTTP module:

public class AuthenticationHandler : DelegatingHandler
    {
        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
                                                               CancellationToken cancellationToken)
        {
            var credentials = ParseAuthorizationHeader(request);

            if (credentials != null)
            {
                // Check if the username and passowrd in credentials are valid against the ASP.NET membership.
                // If valid, the set the current principal in the request context
                var identity = new GenericIdentity(credentials.Username);
                Thread.CurrentPrincipal = new GenericPrincipal(identity, null);;
            }

            return base.SendAsync(request, cancellationToken)
                .ContinueWith(task =>
                {
                    var response = task.Result;
                    if (credentials == null && response.StatusCode == HttpStatusCode.Unauthorized)
                        Challenge(request, response);

                    return response;
                });
        }

        protected virtual Credentials ParseAuthorizationHeader(HttpRequestMessage request)
        {
            string authorizationHeader = null;
            var authorization = request.Headers.Authorization;
            if (authorization != null && authorization.Scheme == "Basic")
                authorizationHeader = authorization.Parameter;

            if (string.IsNullOrEmpty(authorizationHeader))
                return null;

            authorizationHeader = Encoding.Default.GetString(Convert.FromBase64String(authorizationHeader));

            var authenticationTokens = authorizationHeader.Split(':');
            if (authenticationTokens.Length < 2)
                return null;

            return new Credentials() { Username = authenticationTokens[0], Password = authenticationTokens[1], };
        }

        void Challenge(HttpRequestMessage request, HttpResponseMessage response)
        {
            response.Headers.Add("WWW-Authenticate", string.Format("Basic realm=\"{0}\"", request.RequestUri.DnsSafeHost));
        }

        public class Credentials
        {
            public string Username { get; set; }
            public string Password { get; set; }
        }
    }
Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
ASP.NET Web API Security Essentials
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon