ASP.net Web API RESTful web service + Basic authentication
I\'m implementing a RESTful web service using ASP.Net Web Api. I have concluded to use Basic authentication + SSL to do the authentication part. What is the best/correct way
-
Use basic authentication for the initial (sign in) request by adding a
[BasicHttpAuthorize]attribute to the appropriate controllers/methods. Specify the Users and Roles with the attribute if desired. DefineBasicHttpAuthorizeAttributeas a specialized AuthorizeAttribute like this:public class BasicHttpAuthorizeAttribute : AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { if (Thread.CurrentPrincipal.Identity.Name.Length == 0) { // If an identity has not already been established by other means: AuthenticationHeaderValue auth = actionContext.Request.Headers.Authorization; if (string.Compare(auth.Scheme, "Basic", StringComparison.OrdinalIgnoreCase) == 0) { string credentials = UTF8Encoding.UTF8.GetString(Convert.FromBase64String(auth.Parameter)); int separatorIndex = credentials.IndexOf(':'); if (separatorIndex >= 0) { string userName = credentials.Substring(0, separatorIndex); string password = credentials.Substring(separatorIndex + 1); if (Membership.ValidateUser(userName, password)) Thread.CurrentPrincipal = actionContext.ControllerContext.RequestContext.Principal = new GenericPrincipal(new GenericIdentity(userName, "Basic"), System.Web.Security.Roles.Provider.GetRolesForUser(userName)); } } } return base.IsAuthorized(actionContext); } }Have the initial response include an API key for the user. Use the API key for subsequent calls. That way, the client's authentication remains valid even if the user changes username or password. However, when changing password, give the user an option to "disconnect clients", which you implement by deleting the API key on the server.
加载中...
- 热议问题