asp.net web api – sigurnosna pitanja i odgovori ivan marković cloud solutions program...
Post on 18-Jan-2016
223 Views
Preview:
TRANSCRIPT
ASP.NET Web API – Sigurnosna pitanja i odgovoriIvan MarkovićCloud Solutions Program Manager/Technology EvangelistSPAN
ASP.NET Web API in Modern
Architecture
ASP.NET Web API
About me
Ivan Marković
SPAN
Ivan.Markovic@span.eu
Cloud Solutions Program Manager/Technology evangelist
Student
Agenda
1. ASP.NET Web API Pipeline
2. OAuth 2.0
ASP.NET Web API Pipeline
Request Lifecylce
Application Domain
WebAPIApplication:HttpApplication
RouteTable.Routes
HttpWebRoute:Route
HttpControllerRouteHandler:IRouteHandl
er
HttpControllerHandleer:
IHttpAsyncHandler::IHttp[Handler
HttpControllerDispatcher:DelegatingHandle
r
HttpRoutingDispatcher:Delegating
Handler
AllRoutesHandler: Delegating Handler
HttpServer: DelegatingHandler
ActionFilters
ApiController: IHttpController
Http Context, Http Request, Http
Response
AuthorizationFilters
PerRouteHandler: Delegating Handler
Request Lifecylce
Application Domain
WebAPIApplication:HttpApplication
RouteTable.Routes
HttpWebRoute:Route
HttpControllerRouteHandler:IRouteHandl
er
HttpControllerHandleer:
IHttpAsyncHandler::IHttp[Handler
HttpControllerDispatcher:DelegatingHandle
r
HttpRoutingDispatcher:Delegating
Handler
AllRoutesHandler: Delegating Handler
HttpServer: DelegatingHandler
ActionFilters
ApiController: IHttpController
Http Context, Http Request, Http
Response
AuthorizationFilters
PerRouteHandler: Delegating Handler
Pipeline in Web API 2.0
IIS Web API
HttpModule MessageHandler
AuthenticationFilter
AuthorizationFilter
Host/Framework
independent concerns
Web API cross-cutting
concerns, eg. CORS
Web API specific
authentication
Authorization
HTTP Module
Allow security code to execute early as part of the IIS pipeline.
The principal established from an HTTP module is available to all components
The biggest drawback with HTTP modules is the lack of granularity.
Message Handler
Runs before Authentication and Authorization filters
Message handler runs only for Web API requests.
A message handler can be configured to run as a global handler for all requests or for a specific route.
The downside of using a message handler is the lack of finer control.
Action Filter
Another extensibility option provided by ASP.NET Web API
It runs after the authorization filters are run in the ASP.NET Web API pipeline.
Authentication vs Authorization
Authentication Authorization
Authentication is knowing the identity of the user.
Eg: Login()
Authorization is deciding whether a user is allowed
to perform an action.
Eg: Read, Write, Delete
Authorization Filter
Another extensibility option provided by ASP.NET Web API
The order of execution of authorization filters isn’t guaranteed by ASP.NET Web API.
Authentication Filter
Authentication filters run after message handlers but before all other filter types.
Authentication filters run before authorization filters!
Authentication filters offer a level of control or granularity that makes them particularly useful.
Authentication Filter + Authorization Filter
Authentication Filter
Authorization Filter Action Method
No Action Taken
Does Not Execute
Rejects the Reqouest for the Lack of Authenticate
PrincipalRequest with no
Credential
Unathorized Response 401
Authentication Filter + Authorization Filter
Authentication Filter
Authorization Filter Action Method
contex.ErrorResult Is Set to Unathorized
Result
Does Not Execute
Request with Invalid Credential
Unathorized Response
Does Not Execute
Authentication Filter + Authorization Filter
Authentication Filter
Authorization Filter Action Method
Contex.Principal Is Set to an Authenticated
Princiapl
Action Method Runs and Produces a Response
Successfully Authorizes Because Identity is AuthenticRequest with Valid
Credential
Response MessageResponse Message
No Action Taken
ASP.NET Web API PipelineDemo
OAuth 2.0
Enterprise Security
Modern Applications
Users Clients Web APIs
OAuth 2.0
UserClient
Application
Authentication Server
Resource Server
OAuth 2.0
UserClient
Application
Authentication Server
Resource Server
Client_id = client1scope = search read
OAuth 2.0
UserClient
Application
Authentication Server
Resource Server
Access token
OAuth 2.0
UserClient
Application
Authentication Server
Resource Server
Access token
{ „iss”:”myAuthzServer”, „aud”:”application”, „exp”:”192990121”, „scope”:[„search”,”read”], „client_id”:”client1”}
Conclusion
IIS Web API
HttpModule MessageHandler
AuthenticationFilter
AuthorizationFilter
Host/Framework
independent concerns
Web API cross-cutting
concerns, eg. CORS
Web API specific
authentication
Authorization
Conclusion
UserClient
Application
Authentication Server
Resource Server
Q & A?
? ???
? ?
top related