Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.

Published byGeorgiana Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN."— Presentation transcript:

1 ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN

2 ASP.NET Web API in Modern Architecture ASP.NET Web API

3 About me Ivan Marković SPAN Ivan.Markovic@span.eu Cloud Solutions Program Manager/Technology evangelist Student

4 Agenda 1. ASP.NET Web API Pipeline 2. OAuth 2.0

5 ASP.NET Web API Pipeline

6 Request Lifecylce Application Domain WebAPIApplication: HttpApplication RouteTable.Routes HttpWebRoute:Route HttpControllerRouteHa ndler:IRouteHandler HttpControllerHandleer: IHttpAsyncHandler::IHttp[ Handler HttpControllerDispatcher :DelegatingHandler HttpRoutingDispatcher: Delegating Handler AllRoutesHandler: Delegating Handler HttpServer: DelegatingHandler ActionFilters ApiController: IHttpController Http Context, Http Request, Http Response AuthorizationFilters PerRouteHandler: Delegating Handler

7 Request Lifecylce Application Domain WebAPIApplication: HttpApplication RouteTable.Routes HttpWebRoute:Route HttpControllerRouteHa ndler:IRouteHandler HttpControllerHandleer: IHttpAsyncHandler::IHttp[ Handler HttpControllerDispatcher :DelegatingHandler HttpRoutingDispatcher: Delegating Handler AllRoutesHandler: Delegating Handler HttpServer: DelegatingHandler ActionFilters ApiController: IHttpController Http Context, Http Request, Http Response AuthorizationFilters PerRouteHandler: Delegating Handler

8 Pipeline in Web API 2.0 HttpModuleMessageHandlerAuthentication Filter Authorization Filter Host/Framework independent concerns Web API cross- cutting concerns, eg. CORS Web API specific authentication Authorization

9 HTTP Module Allow security code to execute early as part of the IIS pipeline. The principal established from an HTTP module is available to all components The biggest drawback with HTTP modules is the lack of granularity.

10 Message Handler Runs before Authentication and Authorization filters Message handler runs only for Web API requests. A message handler can be configured to run as a global handler for all requests or for a specific route. The downside of using a message handler is the lack of finer control.

11 Action Filter Another extensibility option provided by ASP.NET Web API It runs after the authorization filters are run in the ASP.NET Web API pipeline.

12 Authentication vs Authorization AuthenticationAuthorization Authentication is knowing the identity of the user. Eg: Login() Authorization is deciding whether a user is allowed to perform an action. Eg: Read, Write, Delete

13 Authorization Filter Another extensibility option provided by ASP.NET Web API The order of execution of authorization filters isn’t guaranteed by ASP.NET Web API.

14 Authentication Filter Authentication filters run after message handlers but before all other filter types. Authentication filters run before authorization filters! Authentication filters offer a level of control or granularity that makes them particularly useful.

15 Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method No Action Taken Does Not Execute Rejects the Reqouest for the Lack of Authenticate Principal Request with no Credential Unathorized Response 401

16 Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method contex.ErrorResult Is Set to Unathorized Result Does Not Execute Request with Invalid Credential Unathorized Response Does Not Execute

17 Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method Contex.Principal Is Set to an Authenticated Princiapl Action Method Runs and Produces a Response Successfully Authorizes Because Identity is Authentic Request with Valid Credential Response Message No Action Taken

18 ASP.NET Web API Pipeline Demo

19 OAuth 2.0

20 Enterprise Security

21 Modern Applications UsersClientsWeb APIs

22 OAuth 2.0 User Client Application Authentication Server Resource Server

23 OAuth 2.0 User Client Application Authentication Server Resource Server

24 OAuth 2.0 User Client Application Authentication Server Resource Server Access token

25 OAuth 2.0 User Client Application Authentication Server Resource Server Access token { „iss”:”myAuthzServer”, „aud”:”application”, „exp”:”192990121”, „scope”:[„search”,”read”], „client_id”:”client1” }

26 Conclusion HttpModuleMessageHandlerAuthentication Filter Authorization Filter Host/Framework independent concerns Web API cross- cutting concerns, eg. CORS Web API specific authentication Authorization

27 Conclusion User Client Application Authentication Server Resource Server

28 Q & A ? ? ? ? ? ? ?

29

Download ppt "ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN."

Similar presentations

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Running PHP on Windows Server 2008 and IIS 7 Rob Cameron Developer Evangelist, Communications Sector Microsoft.

Running PHP on Windows Server 2008 and IIS 7 Rob Cameron Developer Evangelist, Communications Sector Microsoft.
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited

IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited
Host Message Handlers Controller Model Bindings Result Conversion Action Method.

Host Message Handlers Controller Model Bindings Result Conversion Action Method.
Internet Information Server (IIS)

Internet Information Server (IIS)
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
A Close Look Inside the SharePoint Engine Randy Williams, MVP MOSS Synergy Corporate Technologies

A Close Look Inside the SharePoint Engine Randy Williams, MVP MOSS Synergy Corporate Technologies
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.

Similar presentations

Ads by Google