Reputation: 21
REST WebApi username/password security
I am designing a series of web services using the new microsoft asp.net mvc 4 WebApi.
For any call to any of these services a username and password must be passed each time and these details must be checked in sql server to authorize the user.
Questions:
1) Would it be correct to pass the username and password each time using the basic authentication headers or perhaps custom http headers? The thing is I don't want to interfere with the querystring or the request body in each call and would prefer headers.
2) Once passed in headers how can I use the authorize attribute to to call my method that verifies the user is valid in sql? Do I need to roll a custom authorize attribute?
Upvotes: 2
Views: 9772
Answers (2)
Reputation: 2824
- Yes, provided it's over HTTPS - Take a look here at writing your own message handler, http://sixgun.wordpress.com/2012/02/29/asp-net-web-api-basic-authentication/
Upvotes: 1
Reputation: 81660
There are a few implementations already there, best being Dominick's Baier:
http://leastprivilege.com/2012/05/26/thinktecture-identitymodel-and-asp-net-web-api/
This one is using attributes:
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/
Upvotes: 1
Related Questions
- ASP.NET Web API Basic Authentication Authorisation Header
- WebAPI and Authorization Basic
- ASP.net Web API RESTful web service + Basic authentication
- Securing user/password for REST API
- Basic authentication in web api
- How to Setup Authentication for Web API?
- Authenticating ASP.NET Web API
- User Login Authentication with Restful asp.net Web api and securing API
- Web API - Authentication Advice
- .NET WebApi Authentication