ASP.NET Web API – Sigurnosna pitanja i odgovoriIvan MarkovićCloud Solutions Program Manager/Technology EvangelistSPAN

ASP.NET Web API in Modern

Architecture

ASP.NET Web API

About me

Ivan Marković

SPAN

Ivan.Markovic@span.eu

Cloud Solutions Program Manager/Technology evangelist

Student

Agenda

1. ASP.NET Web API Pipeline

2. OAuth 2.0

ASP.NET Web API Pipeline

Request Lifecylce

Application Domain

WebAPIApplication:HttpApplication

RouteTable.Routes

HttpWebRoute:Route

HttpControllerRouteHandler:IRouteHandl

er

HttpControllerHandleer:

IHttpAsyncHandler::IHttp[Handler

HttpControllerDispatcher:DelegatingHandle

r

HttpRoutingDispatcher:Delegating

Handler

AllRoutesHandler: Delegating Handler

HttpServer: DelegatingHandler

ActionFilters

ApiController: IHttpController

Http Context, Http Request, Http

Response

AuthorizationFilters

PerRouteHandler: Delegating Handler

Request Lifecylce

Application Domain

WebAPIApplication:HttpApplication

RouteTable.Routes

HttpWebRoute:Route

HttpControllerRouteHandler:IRouteHandl

er

HttpControllerHandleer:

IHttpAsyncHandler::IHttp[Handler

HttpControllerDispatcher:DelegatingHandle

r

HttpRoutingDispatcher:Delegating

Handler

AllRoutesHandler: Delegating Handler

HttpServer: DelegatingHandler

ActionFilters

ApiController: IHttpController

Http Context, Http Request, Http

Response

AuthorizationFilters

PerRouteHandler: Delegating Handler

Pipeline in Web API 2.0

IIS Web API

HttpModule MessageHandler

AuthenticationFilter

AuthorizationFilter

Host/Framework

independent concerns

Web API cross-cutting

concerns, eg. CORS

Web API specific

authentication

Authorization

HTTP Module

Allow security code to execute early as part of the IIS pipeline.

The principal established from an HTTP module is available to all components

The biggest drawback with HTTP modules is the lack of granularity.

Message Handler

Runs before Authentication and Authorization filters

Message handler runs only for Web API requests.

A message handler can be configured to run as a global handler for all requests or for a specific route.

The downside of using a message handler is the lack of finer control.

Action Filter

Another extensibility option provided by ASP.NET Web API

It runs after the authorization filters are run in the ASP.NET Web API pipeline.

Authentication vs Authorization

Authentication Authorization

Authentication is knowing the identity of the user.

Eg: Login()

Authorization is deciding whether a user is allowed

to perform an action.

Eg: Read, Write, Delete

Authorization Filter

Another extensibility option provided by ASP.NET Web API 

The order of execution of authorization filters isn’t guaranteed by ASP.NET Web API.

Authentication Filter

Authentication filters run after message handlers but before all other filter types. 

Authentication filters run before authorization filters!

Authentication filters offer a level of control or granularity that makes them particularly useful. 

Authentication Filter + Authorization Filter

Authentication Filter

Authorization Filter Action Method

No Action Taken

Does Not Execute

Rejects the Reqouest for the Lack of Authenticate

PrincipalRequest with no

Credential

Unathorized Response 401

Authentication Filter + Authorization Filter

Authentication Filter

Authorization Filter Action Method

contex.ErrorResult Is Set to Unathorized

Result

Does Not Execute

Request with Invalid Credential

Unathorized Response

Does Not Execute

Authentication Filter + Authorization Filter

Authentication Filter

Authorization Filter Action Method

Contex.Principal Is Set to an Authenticated

Princiapl

Action Method Runs and Produces a Response

Successfully Authorizes Because Identity is AuthenticRequest with Valid

Credential

Response MessageResponse Message

No Action Taken

ASP.NET Web API PipelineDemo

OAuth 2.0

Enterprise Security

Modern Applications

Users Clients Web APIs

OAuth 2.0

UserClient

Application

Authentication Server

Resource Server

OAuth 2.0

UserClient

Application

Authentication Server

Resource Server

Client_id = client1scope = search read

OAuth 2.0

UserClient

Application

Authentication Server

Resource Server

Access token

OAuth 2.0

UserClient

Application

Authentication Server

Resource Server

Access token

{ „iss”:”myAuthzServer”, „aud”:”application”, „exp”:”192990121”, „scope”:[„search”,”read”], „client_id”:”client1”}

Conclusion

IIS Web API

HttpModule MessageHandler

AuthenticationFilter

AuthorizationFilter

Host/Framework

independent concerns

Web API cross-cutting

concerns, eg. CORS

Web API specific

authentication

Authorization

Conclusion

UserClient

Application

Authentication Server

Resource Server

Q & A?

? ???

? ?