验证一个网站/应用程序访问Web API服务
简介问题:
我只有用HTML和AngularJS取得了.NET一个Web API服务,以及网站。
Brief question: I've a Web API Service in .NET, and a Site made only with HTML and AngularJS.
如何授权给我的服务只我的网站?的
How can authorize to my service ONLY my web?
我在寻找一个安全的答案的一个问题,这似乎是常见的,但并非如此。我读了很多答案,想法和每一种在日晚的事情,但我无法找到解决方案。
I'm looking for a secure answer to a problem that seems to be common but is not. I read a lot of answers, ideas and every kind of things in the late days, but I couldn't find the solution.
让我们假设我已经从MS一个Web API服务(介绍最新的一个)。
所以我要申请需要消耗它。让我们定义两个场景。
Let's suppose I've a Web Api Service (the lastest one) from MS. So I have to application that need consumes it. Let's define two scenarios.
方案1:
在相同的IIS,我有一个ASP.NET MVC 3/4的特殊性,所有的MVC的工作是在客户端,通过AngularJS做的,所以应用程序直接指向从JavaScript到Web API服务。
In the same IIS, I've an ASP.NET MVC 3/4 with the particularity that all MVC work is on the client side, made by AngularJS, so the App points directly from JavaScript to the Web Api Service.
情景2:
我已经直接指向到Web API服务第三方应用程序,并找到其他网络/网站/任何东西,但相关的。
I've a third party application that points directly to the Web Api Service, and is locate in other network/site/anything but related.
所以,我的问题是:的
So, my question is:
为了如何可以验证这两个系统,向Web API服务可以访问两个系统(我不在乎,如果是同样的方式与否),而不是给一个REST客户端一个人例如接入,并记录与用户名/密码授权的网站?我希望这些例子都让我感兴趣的点的想法。
How can authenticate both systems, in order to the Web Api Service gives access to both system (I don't care if is the same way or not), and not give access for example to a guy with a REST client, and logged to the site with user/pass authorization? I hope these both examples gave the idea of the point what I'm interested.
下面您需要什么来改善这个问题,以更好的方式请发表评论!
Please comment below anything you need to improve this question in a better way!
顺便说一下,没有,不能使用模糊处理。
我想在像清凉的象征,但我想不出它。
By the way, no, obfuscation can not be used. I thought in something like a refreshing token but I can't figure it.
我将如何设置身份验证您的情景1
How I would set up authentication with your Scenario 1:
我将迫使静态文件要经过服务器,以确保认证
I will force the static files to go through the server in order to ensure authentication
的Web.config
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
这将让我建立&LT;认证&GT; 和&LT;授权&GT; 在我的web.config这样的:
This will allow me to set up <authentication> and <authorization> in my web.config like:
<authorization>
<allow roles="demo" />
</authorization>
或
<authorization>
<deny users="?" />
</authorization>
此外我将我的登录页面:
Additionally I will set up my login page:
<authentication mode="Forms">
<forms path="/" loginUrl="~/login"..
对于情景2
也许你将需要启用CORS,如果是这样的话,你将需要:
Probably you will need to enable CORS, if it is the case you will need to:
设置配置选项 config.EnableCors(); 在注册方法;你还需要使用,使您的ApiController CORS的 [EnableCors] 与控制器一起声明属性,下面是一个例子,我是怎么做的:
Set the config option config.EnableCors(); in your Register method; you will also need to enable CORS in your ApiController by using [EnableCors] attribute along with the declaration of the controller, here is an example how I do it:
[EnableCors(origins: "http://localhost:49595", headers: "*", methods: "*")]
public class ValuesController : ApiController
{
...
最后以固定的WebAPI,我们将需要使用属性 [授权] 在控制器中,最有可能你需要定义自定义的验证方法来授权你的第二个呼叫者。您可以按以下步骤操作:
Finally to secure the WebApi we will need to use an attribute [Authorize] in the controllers and most likely you will need to define your custom authentication method to authorize your second callers. You could follow these steps:
- How to set up WebApi Custom Authorization