authorization

I'd like to create a web service architecture that can be called by various platforms such as mobile devices, winforms applications, iphone, blackberry, you name it. So going with something like WCF and wsHttp binding probably kills this and I would need to downgrade to a basicHttp binding for compatibility. With that said, I need a system to generate a token on initial login (authentication) and then use this token for all subsequent calls, I guess, to validate the authentication and allow the method to execute. Anyone have tips or suggestions on how to go about this? 1) Generate a token and

As I see I have 3 possible places to plug my stuff in the pipeline 1) AuthorizationFilters 2) Action Filters 3) DelegatingHandler The most obvious one is AuthorizationFilters , where I can decorate my actions/ controllers with my custom authorization attribute . say .. MyCustomAuthorizationAttribute . Since HTTP message handlers are in the first stage in the processing pipeline. Does it make any sense to put it in there ? Authorization for me right now simply means checking a token in the header which is given to the client after authentication. Update July 2014 My original answer covered

I have some endpoints in the API - /user/login , /products . In Swagger UI I post email and password to /user/login and as a response I receive a token string. Then, I can copy the token from the response and want to use it as Authorization header value in requests to all urls if it's present, and to /products as an example. Should I create a text input manually somewhere on the Swagger UI page, then put the token there and somehow inject in the requests or are there tools to manage it in a better way? You can add a header parameter to your request, and Swagger-UI will show it as an editable

I'm trying to integrate Spring Security in my web application. It seems pretty easy to do as long as you integrate the whole process of authentication and authorization. However, both authentication and authorization seem so coupled that it's being very time-consuming for me to understand how I could split these processes, and get authentication independently of authorization. The authentication process is external to our system (based on single sign-on) and this cannot be modified. Nevertheless, once the user succeeds this process, it's loaded in the session, including roles. What we are

Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods: Check referer - RESTful but unreliable insert token into form and store the token in the server session - not really RESTful cryptic one time URIs - not RESTful for the same reason as tokens send password manually for this request (not the cached password used with HTTP auth) - RESTful but not convenient My idea is to use a user secret, a cryptic but static form id and JavaScript to generate tokens. <form method="POST" action="/someresource" id="7099879082361234103"> <input type="hidden" name="token"