DPS907 notes – Thu Oct 30

Assignment 1 specifications. Security topics for our web services.

.

Assignment 1 specifications

Details are still being worked on. It will include security topics. It will be due during week 10.

.

Security topics for our web services

Starting point: Make sure that you understand the terms Authentication and Authorization.

The following introduction was taken from a Microsoft post. It was edited to remove the parts that are not relevant to us.

From Authentication and Authorization in ASP.NET Web API, by Mike Wasson, Microsoft:

You’ve created a web API, but now you want to control access to it.

  • Authentication is knowing the identity of the user. For example, Alice logs in with her username and password, and the server uses the password to authenticate Alice.
  • Authorization is deciding whether a user is allowed to perform an action. For example, Alice has permission to get a resource but not create a resource.

The first article in the series gives a general overview of authentication and authorization in ASP.NET Web API.

Authentication

Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.

When the host authenticates the user, it creates a principal, which is an IPrincipal object that represents the security context under which code is running. The host attaches the principal to the current thread by setting Thread.CurrentPrincipal. The principal contains an associated Identity object that contains information about the user.

If the user is authenticated, the Identity.IsAuthenticated property returns true. For anonymous requests, IsAuthenticated returns false.

Authorization

Authorization happens later in the pipeline, closer to the controller. That lets you make more granular choices when you grant access to resources.

  • Authorization filters run before the controller action. If the request is not authorized, the filter returns an error response, and the action is not invoked.
  • Within a controller action, you can get the current principal from the ApiController.User property. For example, you might filter a list of resources based on the user name, returning only those resources that belong to that user.

Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action.

You can apply the filter globally, at the controller level, or at the level of inidivual actions.

.

Read the article’s section titled “Using the [Authorize] Attribute” for more information.

.

FYI – authN is ‘authentication’, and authZ is ‘authorization’.

.

Our journey through this topic set will likely include these stops along the way:

Security-on-the-web-documentSecurity on the web, 2014 version

OAuth 2 Authorization Framework (and in Wikipedia) (skim)

OpenID Connect (and in Wikipedia) (skim)

Microsoft Katana project (and a ‘getting started‘ with OWIN and Katana) (skim only, because we use the components differently)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: