Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2013 | Buch

Welcome to ASP.NET Web API Kapitel lesen Erstes Kapitel lesen

Pro ASP.NET Web API Security

Securing ASP.NET Web API

verfasst von: Badrinarayanan Lakshmiraghavan

Verlag: Apress

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

ASP.NET Web API is a key part of ASP.NET MVC 4 and the platform of choice for building RESTful services that can be accessed by a wide range of devices. Everything from JavaScript libraries to RIA plugins, RFID readers to smart phones can consume your services using platform-agnostic HTTP.

With such wide accessibility, securing your code effectively needs to be a top priority. You will quickly find that the WCF security protocols you’re familiar with from .NET are less suitable than they once were in this new environment, proving themselves cumbersome and limited in terms of the standards they can work with.

Fortunately, ASP.NET Web API provides a simple, robust security solution of its own that fits neatly within the ASP.NET MVC programming model and secures your code without the need for SOAP, meaning that there is no limit to the range of devices that it can work with – if it can understand HTTP, then it can be secured by Web API. These SOAP-less security techniques are the focus of this book.

Inhaltsverzeichnis

Frontmatter
Chapter 1. Welcome to ASP.NET Web API
Summary
If you have chosen to read this book, which is on ASP.NET Web API security, it is highly likely that you are familiar with ASP.NET Web API. In case you are not or simply would like me to begin at the beginning, this introductory chapter along with the next chapter will help you gain a quick understanding of the basics of ASP.NET Web API and help you appreciate the need for the emphasis on security for ASP.NET Web API applications.
Badrinarayanan Lakshmiraghavan
Chapter 2. Building RESTful Services
Summary
One of the important characteristics of the popular web APIs in use today is that they are RESTful services, or at least they are not SOAP based.
Badrinarayanan Lakshmiraghavan
Chapter 3. Extensibility Points
Summary
ASP.NET Web API is a framework. The key defining attribute of a framework is that it is in control of the execution flow and calls the application-specific code written by developers like us at the appropriate time. We don’t call the framework code but it calls us, in line with the Hollywood principle. The most fundamental lever that we use to harness the power of the ASP.NET Web API framework in building a service is the ApiController subclass that we write. It is the business end where all the application-specific action happens.
Badrinarayanan Lakshmiraghavan
Chapter 4. HTTP Anatomy and Security
Summary
The primary benefit of creating an HTTP service is reachability. A broad range of clients in disparate platforms can consume your HTTP services. A client application on an Apple iPhone running iOS can talk to ASP.NET Web API hosted in an HP ProLiant server running the Microsoft Windows 2012 OS. Similarly, an application on a Microsoft Surface tablet running Windows 8 Pro can talk to an HTTP service hosted on the IBM System z. HTTP is the secret sauce behind these disparate device-platform interactions.
Badrinarayanan Lakshmiraghavan
Chapter 5. Identity Management
Summary
In this chapter, I cover an important aspect of securing an application: identity management. The term has a broader meaning but our focus is limited to how a subject or an entity gets authenticated and how the actions an entity attempts to perform are authorized by an application in the context of the .NET Framework.
Badrinarayanan Lakshmiraghavan
Chapter 6. Encryption and Signing
Summary
Encryption is the process of transforming data in plain text and making it unreadable to all except those who are meant to read the data, with the goal of confidentiality. Signing, or more specifically digital signing, is the process by which a digital signature is created to demonstrate the authenticity and integrity of data. A valid signature gives the recipient the confidence that the data received is indeed from the correct sender and that the data is not tampered with in any way during transit.
Badrinarayanan Lakshmiraghavan
Chapter 7. Custom STS through WIF
Summary
A Security Token Service (STS) is a web service that issues security tokens. The concept of STS is defined in a web service specification called WS-Trust, which specifies how a security token must be requested and issued. Creating an STS from scratch involves a fair bit of work. Windows Identity Foundation (WIF) , a framework from Microsoft, does all the work for you by abstracting away the nuts and bolts of WS-Trust and presenting a nice API surface for you to work on as you build an STS.
Badrinarayanan Lakshmiraghavan
Chapter 8. Knowledge Factors
Summary
In Chapter 5, I covered one of the key and fundamental aspects of security: authentication. Authentication is the process of discovering the identity of a user and verifying the same through validating the user-supplied credentials against an authority. The credential can be a knowledge factor based on what a user knows, such as a password, or an ownership factor based on what a user owns, such as a security token, or an inherence factor based on what the user is, such as fingerprints. The focus of this chapter is on the knowledge factor.
Badrinarayanan Lakshmiraghavan
Chapter 9. Ownership Factors
Summary
As you saw in Chapter 5, authentication is a fundamental aspect of security that involves verifying credentials supplied by a user to establish an identity for the user in an application. A credential can be a knowledge factor that the user knows, an ownership factor that the user owns, or an inherence factor that the user is. I covered knowledge factors in Chapter 8. In this chapter, I focus on ownership factors.
Badrinarayanan Lakshmiraghavan
Chapter 10. Web Tokens
Summary
A security token is a container of claims packaged for secure transportation over the network. As the carrier of claims, security tokens have an important role to play in the claims-based security model covered in Chapter 5. A token issuance authority issues a token to a client application after authenticating the user credentials. The client application then presents this token to the relying party (RP) application as a user credential. The RP application verifies the token and establishes the identity for the user based on the claims contained in the token.
Badrinarayanan Lakshmiraghavan
Chapter 11. OAuth 2.0 Using Live Connect API
Summary
WS-* (pronounced WS-STAR) is the name used to refer collectively to the specifications built for SOAP-based web services. One such specification is WS-Trust, which provides a framework for requesting, issuing, and validating security tokens. I covered WS-Trust in Chapter 7. Another member of the WS-* family is WS-Security, a specification that describes how to include security tokens in SOAP messages to be presented by the client application to the web service as credentials for authentication and authorization. WS-Trust and WS-Security in combination provide a standard way for a client application to request and obtain a security token and then present it to the relying party SOAP-based web service as a credential for authentication.
Badrinarayanan Lakshmiraghavan
Chapter 12. OAuth 2.0 from the Ground Up
Summary
In this chapter, I show you how to implement OAuth 2.0-based authorization in ASP.NET Web API from scratch, using two ASP.NET MVC web applications, so that you understand the nuts and bolts of OAuth 2.0. The objective of this chapter is to help you gain in-depth knowledge of how the authorization code grant type of OAuth 2.0 works by building a working example from the ground up. I focus my coverage on the authorization code grant type for this exercise because it involves a more complex flow than the other grant types.
Badrinarayanan Lakshmiraghavan
Chapter 13. OAuth 2.0 Using DotNetOpenAuth
Summary
In this chapter, we implement OAuth 2.0-based authorization in ASP.NET Web API using DotNetOpenAuth (DNOA) . DotNetOpenAuth ( http://www.dotnetopenauth.net/ ) is a well-established open source .NET Framework library that can help you implement production-grade OAuth 2.0-based authorization for your web API.
Badrinarayanan Lakshmiraghavan
Chapter 14. Two-Factor Authentication
Summary
A system identifies a user through a user identifier, commonly abbreviated to user ID. The process by which a system confirms that a user really is who the user claims to be is called authentication. We saw in Chapter 5 that there are three types of credentials through which a user can be authenticated: knowledge factor (what a user knows), ownership factor (what a user owns), and inherence factor (what a user is).
Badrinarayanan Lakshmiraghavan
Chapter 15. Security Vulnerabilities
Summary
We saw in Chapter 1 that the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability. Related to this, we have seen how an application can identify and authenticate entities using the three factors based on knowledge, ownership, and inherence to control the access of protected application resources from unauthorized entities. Also, we examined how cryptography can help ensure the two important aspects of message security: confidentiality through encryption and integrity through digital signing techniques. We also looked at transport security achieved through TLS over HTTP (HTTPS).
Badrinarayanan Lakshmiraghavan
Backmatter
Metadaten
Titel
Pro ASP.NET Web API Security
verfasst von
Badrinarayanan Lakshmiraghavan
Copyright-Jahr
2013
Verlag
Apress
Electronic ISBN
978-1-4302-5783-7
Print ISBN
978-1-4302-5782-0
DOI
https://doi.org/10.1007/978-1-4302-5783-7