![]() In other words, the lowest granularity for authentication implemented by a message handler is at the route level.Īction Filter Another extensibility option provided by ASP.NET Web API is the action filter. All these controllers and the action methods they contain must share the same authentication enforced by the message handler configured for that route. For a given route, you can have multiple controllers. A message handler can be configured to run as a global handler for all requests or for a specific route. The downside of using a message handler is the lack of finer control. Also, a message handler runs only for Web API requests. Message Handler An extensibility option provided by ASP.NET Web API, the greatest benefit in using a message handler for security is it’s a concept of the ASP.NET Web API framework and, hence, doesn’t depend on the underlying host or server. A point worth noting here is that OWIN middleware can run in the (IIS-integrated) ASP.NET pipeline, thanks to the package. Also, OWIN middleware can be used only with OWIN-compatible hosts, although this dependency is comparatively better than taking dependency on a specific host/server such as IIS, as is the case with HTTP modules. ![]() However, OWIN middleware’s minimal granularity could be a shortcoming, because OWIN middleware runs in the OWIN pipeline and gets invoked typically for all requests. This means you can use multiple frameworks such as ASP.NET Web API, SignalR and so on in your application, yet use common security middleware. Perhaps the most compelling reason for using OWIN middleware for security is that the same middleware can work across different frameworks. OWIN Middleware This is another host-related option, available with OWIN hosts. Another disadvantage with using an HTTP module is the dependency on the host-IIS, in this case. For a Web application with different capabilities such as HTML markup generation, Web APIs and so on, having an HTTP module enforcing authentication in one way is generally not a flexible-enough approach. HTTP modules run for all requests coming into the application. The biggest drawback with HTTP modules is the lack of granularity. ![]() For example, when the principal is established by an HTTP module in response to the AuthenticateRequest event, the username of the principal gets logged correctly in the cs-username field in IIS logs. The principal established from an HTTP module is available to all components, including the IIS components running later in the pipeline. HTTP modules allow security code to execute early as part of the IIS pipeline. HTTP Module This is an option for Web APIs running on IIS. Apart from these general characteristics, each option has its own pros and cons, as I’ll cover in the sections that follow. The trade-off is better integration with the host and early rejection of bad requests versus the authentication granularity. That is, you’ll be able to set different authentication mechanisms for different controllers and even different action methods. The ASP.NET Web API extensibility options, on the other hand, offer a finer level of control over the authentication process. Host-based options integrate well into the host pipeline and are capable of rejecting invalid requests earlier in the pipeline. Host-based options include HTTP modules and OWIN middleware components, while ASP.NET Web API extensibility options consist of message handlers, action filters, authorization filters, and authentication filters. Options for Implementing Security AspectsĪuthentication and authorization in ASP.NET Web API can be implemented using the extensibility points offered by the host, as well as those available in the ASP.NET Web API pipeline itself. In this article, I’m going to introduce you to these two security filters and show you how to use them to implement authentication and authorization as separate concerns in ASP.NET Web API. This new extensibility point allows authentication and authorization concerns to be cleanly separated. ![]() ASP.NET Web API 2 introduces a new authentication filter dedicated to the process. With the first version of ASP.NET Web API, a common practice is to use an authorization filter or an action filter to implement authentication. You can implement authentication in ASP.NET Web API using the extensibility points available in the ASP.NET Web API pipeline, as well as using options provided by the host. A secured Web API authenticates requests and authorizes access to the resource requested based on the identity established. Authentication establishes the identity of a user by validating the credentials provided, while authorization determines whether a user is allowed to perform a requested action. Volume 29 Number 9 ASP.NET : ASP.NET Web API Security Filtersīadrinarayanan Lakshmiraghavan | September 2014Īuthentication and authorization are cornerstones of application security.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |