34

I'm implementing a RESTful web service using ASP.Net Web Api. I have concluded to use Basic authentication + SSL to do the authentication part. What is the best/correct way to implement that?

My first attempt was to do it manually, parsing the Authorization header, decoding and verifying the user against my database. It works, but I wonder if I am missing something.

I've seen some solutions using user roles and principals. While I'm not sure what these actually do, I'm almost sure I will not be needing these, since in my database I define my own users and their roles.

Also what I haven't yet completely understand, is if the consumers of the service must sent the credentials with each request or they are somehow cached. Should my service do something in order for this to happen, or it's completely up to the consumer to handle this?

And a last question about clients making requests with javascript. Would there be any "cross domain request" problems if they try to use the service?

Improve this question

3 Answers 3

Reset to default
30

Jamie Kurtze provides a good explanation of using Basic Authentication here ASP.NET Web API REST Security Basics

From my understanding, if you want your requests to be stateless then each request will require the Authentication field to be set

Jamie Kurtze wraps the necessary code in a class derived from DelegateHandler, while Rick Strahl checks if the call is valid using a Filter. You can read more at his blog post on this topic at A WebAPI Basic Authentication Authorization Filter

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hello, when I wrote the question, it wasn't clear in my mind how the Principals and Roles are used (and how are they related to my own users). What I do now is using the Authentication header for passing the credentials and an Http module to uniformly check for the them. I will though take a look at your links when I have some time.
My implementation works just fine now, but these are good links for future readers.
Your first link the ASP.NET Web Api REST Security Basics is dead
25

Use basic authentication for the initial (sign in) request by adding a [BasicHttpAuthorize] attribute to the appropriate controllers/methods. Specify the Users and Roles with the attribute if desired. Define BasicHttpAuthorizeAttribute as a specialized AuthorizeAttribute like this:

public class BasicHttpAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        if (Thread.CurrentPrincipal.Identity.Name.Length == 0) { // If an identity has not already been established by other means:
            AuthenticationHeaderValue auth = actionContext.Request.Headers.Authorization;
            if (string.Compare(auth.Scheme, "Basic", StringComparison.OrdinalIgnoreCase) == 0) {
                string credentials = UTF8Encoding.UTF8.GetString(Convert.FromBase64String(auth.Parameter));
                int separatorIndex = credentials.IndexOf(':');
                if (separatorIndex >= 0) {
                    string userName = credentials.Substring(0, separatorIndex);
                    string password = credentials.Substring(separatorIndex + 1);
                    if (Membership.ValidateUser(userName, password))
                        Thread.CurrentPrincipal = actionContext.ControllerContext.RequestContext.Principal = new GenericPrincipal(new GenericIdentity(userName, "Basic"), System.Web.Security.Roles.Provider.GetRolesForUser(userName));
                }
            }
        }
        return base.IsAuthorized(actionContext);
    }
}

Have the initial response include an API key for the user. Use the API key for subsequent calls. That way, the client's authentication remains valid even if the user changes username or password. However, when changing password, give the user an option to "disconnect clients", which you implement by deleting the API key on the server.

Improve this answer

8 Comments

I have already resolved the issue but thanks for answering. I find it easier to pass, in all the API calls, the userName and password in the Authorization header, instead of using the token approach you suggest.
@Edward Thanks a lot for your post, I find it most help full. What user and role mechanism are you using in this example? BEcause I see you create a new GenericPrinsiple. Could you care to elaborate how I integrate your solution into a new empty web api project.
@Zapnologica This code uses the old membership identity model which Microsoft used prior to VS2013. The templates with VS2013 use the new OWIN-based identity system, which does a custom username/password authentication followed by use of bearer tokens, eliminating the need for BasicHttpAuthorize.
@EdwardBrey, Eish ok. haha That throws me off abit, So could you possibly point me in the correct direction? I need your example above but with the owin variant.
@Zapnologica Sorry, but I don't know of hand, since I didn't need this approach with OWIN. A quick search revealed an article which mentions Request.GetOwinContext to get a context from which you can call Authentication.User. Perhaps the answer lies in that direction.
|
1

Have a look here for a good basic authentication implementation

http://leastprivilege.com/2013/04/22/web-api-security-basic-authentication-with-thinktecture-identitymodel-authenticationhandler/

there is more to read about it at: https://github.com/thinktecture/Thinktecture.IdentityModel.45/wiki

Improve this answer

1 Comment

These links don't really answer my questions. Only the first question maybe, but they refer to configuring a third party security library. Because of lack time, I want to avoid using more libraries.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.