security - Asp.Net Web Api: Protecting with a token? -
i protect asp.net web api service token. know implement sts server don't want other options.
i thinking leaving controller unprotected clients can call passing in username , password , return token, token used , needed call other controllers on service protected.
so brings questions, using delegatinghandler vs authorizeattribute. above option have authorizeattribute because need leave controller unprotected clients call in authenticate. don't see how use delegatinghandler technically protect complete service rather leaving 1 controller unprotected.
the other option see providing service allow clients authenticate , token , lock down second service using delegatinghandler..
lets imagine went down sts routing, still need provide way client contact "open" service / controller in turn call sts obtaining token.
so considering this, service best option
any or feedback appreciated.
i implemented similar scenario in past using hawk (https://github.com/hueniverse/hawk). have implementation in github hawk in .net integrates web api using message handlers.
https://github.com/pcibraro/hawknet
in way implemented in project. client application first makes call web api using basic authentication real username/password (using https). web api authenticates user , set of hawk credentials returned client (it equivalent token). rest of calls secured hawk using negotiated hawk credentials. simple , not involve sts.
Comments
Post a Comment