Apress

Pro ASP.NET Web API Security

Securing ASP.NET Web API

By Badrinarayanan Lakshmiraghavan

Pro ASP.NET Web API Security Cover Image

ASP.NET Web API is a key part of ASP.NET MVC 4. It has become the platform of choice for building RESTful services. Securing ASP.NET Web API applications requires a move away from traditional WCF-based techniques in favor of new SOAP-less methods. The evaluation, selection and analysis of these new techniques is the focus of this book.

Full Description

  • ISBN13: 978-1-4302-5782-0
  • 416 Pages
  • User Level: Intermediate to Advanced
  • Publication Date: March 26, 2013
  • Available eBook Formats: EPUB, MOBI, PDF
  • Print Book Price: $49.99
  • eBook Price: $34.99
Buy eBook Buy Print Book Add to Wishlist

Related Titles

Full Description

ASP.NET Web API is a key part of ASP.NET MVC 4 and the platform of choice for building RESTful services that can be accessed by a wide range of devices. Everything from JavaScript libraries to RIA plugins, RFID readers to smart phones can consume your services using platform-agnostic HTTP.

With such wide accessibility, securing your code effectively needs to be a top priority. You will quickly find that the WCF security protocols you’re familiar with from .NET are less suitable than they once were in this new environment, proving themselves cumbersome and limited in terms of the standards they can work with.

Fortunately, ASP.NET Web API provides a simple, robust security solution of its own that fits neatly within the ASP.NET MVC programming model and secures your code without the need for SOAP, meaning that there is no limit to the range of devices that it can work with – if it can understand HTTP, then it can be secured by Web API. These SOAP-less security techniques are the focus of this book.

What you’ll learn

  • Identity management and cryptography
  • HTTP basic and digest authentication and Windows authentication
  • HTTP advanced concepts such as web caching, ETag, and CORS
  • Ownership factors of API keys, client X.509 certificates, and SAML tokens
  • Simple Web Token (SWT) and signed and encrypted JSON Web Token (JWT)
  • OAuth 2.0 from the ground up using JWT as the bearer token
  • OAuth 2.0 authorization codes and implicit grants using DotNetOpenAuth
  • Two-factor authentication using Google Authenticator
  • OWASP Top Ten risks for 2013

Who this book is for

No prior experience of .NET security is needed to read this book. All security related concepts will be introduced from first-principles and developed to the point where you can use them confidently in a professional environment. A good working knowledge of and experience with C# and the .NET framework are the only prerequisites to benefit from this book.

Table of Contents

Table of Contents

  1. Welcome to ASP.NET Web API
  2. Building RESTful Services
  3. Extensibility Points
  4. HTTP Anatomy and Security
  5. Identity Management
  6. Encryption and Signing
  7. Custom STS through WIF
  8. Knowledge Factors
  9. Ownership Factors
  10. Web Tokens
  11. OAuth 2.0 Using Live Connect API
  12. OAuth 2.0 From the Ground Up 
  13. OAuth 2.0 Using DotNetOpenAuth
  14. Two-Factor Authentication
  15. Security Vulnerabilities
  16. Appendix: ASP.NET Web API Security Distilled
Source Code/Downloads

Downloads are available to accompany this book.

Your operating system can likely extract zipped downloads automatically, but you may require software such as WinZip for PC, or StuffIt on a Mac.

Errata

If you think that you've found an error in this book, please let us know about it. You will find any confirmed erratum below, so you can check if your concern has already been addressed.

* Required Fields

On page 27:
The example for changing authorization from the web.config element to AuthorizeAttribute() filters neglects to mention that you need to add the [AllowAnonymous] attribute to the actions in the LoginController.

On page 28:
The solution provided to overcome a 302 redirect on a web api call is correct, but adding the AuthorizeAttribute as a global MVC filter as shown on the page prevents the login page from being reached as well.