All geek questions in one place

RESTful WCF Data Service Authentication

I would like to implement a REST api on an existing ASP.NET MVC website. I was able to configure WCF data services so that I can view my data, but now the question is how to handle authentication.

At the moment, the data service is protected through the site created as a result of forms authentication, and this is normal when accessing the service from AJAX forms. However, it is not ideal for a RESTful api.

What I would like as an alternative to validating forms is simply for users to simply paste the username and password into the web service URL or as request parameters.

For example, if my web service is usually available as

http://localhost:1234/api.svc

I would like to have access to it using the URL

 http://localhost:1234/api.svc/{login}/{password}

So my questions are:

  • Is this a reasonable approach?

  • If so, how can I implement this?

It seems like a trivial redirection of GET requests so that the username and password are attached as GET parameters. I also know how to check the http context and use these parameters to filter the results. But I'm not sure if / can use the same approach to POST, PUT and DELETE requests. Can I use GET parameters in POST, PUT and DELETE requests?

Edit: The question is how to embed the username and password in the web service URL so that I can execute POST, PUT and DELETE requests to the web service. I know how to implement authentication when the web service is started and the username / password is contained somewhere in the HTTPContext. Also, I'm not looking for ways to implement forms or basic authentication. I know how to do this, but that’s not what I am looking for.

+4
source share
4 answers

In the end, I used a triple approach, any of these authentication methods work fine in my data service:

  • Basic authentication with API key as password
  • Authentication with an API key embedded in the request header
  • URL-based authentication with an API key as an API path. I implemented this using an ASP.NET MVC proxy.
0
source

I did not have to use quiet authentication, but I need to ensure that user groups have access rights to the rest service. I do this using the MD5 token that is passed to the web service (this is a regular JSON service, not a WCF wrapper). Basically, I “know” which websites my service is allowed to access, so I give them my own API key (which for simplicity is an MD5 domain name that is checked for an incoming filter against urlreferrer, and if it matches MD5, then it goes.

I know that this is not an answer to authentication, but it is a medium trust approach that works if you only need a level of “authentication” course.

I would be interested to see how others do it, for other projects for which I might need a more subtle approach to authentication.

0
source

OData - TechEd WCF Data Services Best Practices - Meta-Me - Site Home - MSDN Blogs

 <system.web.extensions> <scripting> <webServices> <authenticationService enabled="true" /> </webServices> </scripting> </system.web.extensions>

How about this?

0
source

See if below helps you:

your first question:

  • Is this a reasonable approach?

    If your service works with https, I do not see any problems for using this method.

  • If so, how can I implement this?

You can use GET parameters in other ways, for example. Here the flow is transmitted in the body.

 [OperationContract] [WebInvoke(Method="POST", UriTemplate = "UploadFile/{fileName}/{userToken}")] string UploadFile(string fileName,string userToken,Stream fileContents);
0
source

Source: https://habr.com/ru/post/1312794/

More articles:


All Articles