验证站点/应用程序以访问 Web API 服务
简短问题:我在 .NET 中有一个 Web API 服务,还有一个仅使用 HTML 和 AngularJS 制作的站点.
Brief question: I've a Web API Service in .NET, and a Site made only with HTML and AngularJS.
如何仅授权我的网站使用我的服务?
我正在寻找一个看似常见但并不常见的问题的安全答案.后期看了很多答案、想法和各种东西,但我找不到解决方案.
I'm looking for a secure answer to a problem that seems to be common but is not. I read a lot of answers, ideas and every kind of things in the late days, but I couldn't find the solution.
假设我有一个来自 MS 的 Web Api 服务(最新的).所以我必须应用需要消耗它.让我们定义两个场景.
Let's suppose I've a Web Api Service (the lastest one) from MS. So I have to application that need consumes it. Let's define two scenarios.
场景 1:
在同一个 IIS 中,我有一个 ASP.NET MVC 3/4,其特殊性是所有 MVC 工作都在客户端,由 AngularJS 制作,因此应用程序直接从 JavaScript 指向 Web Api 服务.
In the same IIS, I've an ASP.NET MVC 3/4 with the particularity that all MVC work is on the client side, made by AngularJS, so the App points directly from JavaScript to the Web Api Service.
场景 2:
我有一个直接指向 Web Api 服务的第三方应用程序,并且位于其他网络/站点/任何不相关的地方.
I've a third party application that points directly to the Web Api Service, and is locate in other network/site/anything but related.
所以,我的问题是:
如何对两个系统进行身份验证,以便 Web Api 服务可以访问两个系统(我不在乎是否以相同的方式),并且例如不授予具有 REST 客户端的人的访问权限,并通过用户/通行证授权登录到站点?我希望这两个例子都能说明我感兴趣的内容.
How can authenticate both systems, in order to the Web Api Service gives access to both system (I don't care if is the same way or not), and not give access for example to a guy with a REST client, and logged to the site with user/pass authorization? I hope these both examples gave the idea of the point what I'm interested.
请在下方评论您需要以更好的方式改进此问题的任何内容!
Please comment below anything you need to improve this question in a better way!
顺便说一下,不,不能使用混淆.我想过像一个令人耳目一新的令牌,但我想不通.
By the way, no, obfuscation can not be used. I thought in something like a refreshing token but I can't figure it.
我将如何为您的场景 1 设置身份验证:
How I would set up authentication with your Scenario 1:
我将强制静态文件通过服务器以确保身份验证
I will force the static files to go through the server in order to ensure authentication
Web.config
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
这将允许我在我的 web.config 中设置
This will allow me to set up <authentication> and <authorization> in my web.config like:
<authorization>
<allow roles="demo" />
</authorization>
或
<authorization>
<deny users="?" />
</authorization>
另外,我将设置我的登录页面:
Additionally I will set up my login page:
<authentication mode="Forms">
<forms path="/" loginUrl="~/login"..
对于场景 2:
可能您需要启用 CORS,如果是这种情况,您需要:
Probably you will need to enable CORS, if it is the case you will need to:
在您的 Register 方法中设置配置选项 config.EnableCors();;您还需要使用 [EnableCors] 属性以及控制器的声明在您的 ApiController 中启用 CORS,这是我如何做到的一个示例:
Set the config option config.EnableCors(); in your Register method; you will also need to enable CORS in your ApiController by using [EnableCors] attribute along with the declaration of the controller, here is an example how I do it:
[EnableCors(origins: "http://localhost:49595", headers: "*", methods: "*")]
public class ValuesController : ApiController
{
...
最后,为了保护 WebApi,我们需要在控制器中使用属性 [Authorize],并且很可能您需要定义自定义身份验证方法来授权您的第二个调用者.您可以按照以下步骤操作:
Finally to secure the WebApi we will need to use an attribute [Authorize] in the controllers and most likely you will need to define your custom authentication method to authorize your second callers. You could follow these steps: