Reputation: 67193
Security for two websites talking to each other
I have two websites (one a new MVC app, and the other an older WebForms app). I need them to be able to communicate with each other.
I'm looking at implementing a RESTful Web API on both sites, and then having each site call the other site's Web API.
So far, so good, but what about authentication? I'm looking at Authentication Filters. They seem like a reasonable approach for the MVC app, but looks like they may be unsupported on WebForms.
My question is, since the only entity that will ever be calling either of these API is the other website, is there a way to simplify this process? For example, could I just have a secret GUID and pass that, and if the other site gets the right GUID, then I assume it's okay?
Note that I will be using HTTPS. Also, we're not a bank. Security only needs to be reasonable and nothing more.
Upvotes: 0
Views: 82
Answers (1)
Reputation: 199
You can setup a simple user id/password for the client and pass it in with every request on the Authorization header. Then, creates a custom AuthorizationFilterAttribute to authenticate the credential.
Something like this.
public class MyAuthorizeAttribute : AuthorizationFilterAttribute
{
public ICustomerAuthenticator CustomerAuthenticator { get; set; }
public override void OnAuthorization(HttpActionContext actionContext)
{
var authInfo = $"{actionContext.Request.Headers.Authorization.Parameter}";
var authenticationResult = CustomerAuthenticator.Authenticate(new []{ authInfo });
if (!authenticationResult.Authenticated)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent("You are not authorized.")
};
}
else
{
actionContext.RequestContext.Principal = new GenericPrincipal(new ClaimsIdentity(new List<Claim>
{
new Claim("CustomerId", authenticationResult.Customer.Id.ToString()),
new Claim("CustomerName", authenticationResult.Customer.Name)
}));
}
}
}
Hope this helps.
Upvotes: 2
Related Questions
- Authentication and authorization ASP.NET Web API from another Web API Application
- Using another site to secure my site
- Securing user/password for REST API
- Web API authentication and authorization (OAuth)
- Security between .NET MVC and WEB API
- how to secure a Web Api
- User Login Authentication with Restful asp.net Web api and securing API
- What is the best practice for user authentication on a C# web api?
- Security in Web Api
- User authentication through REST web service on a different domain - asp.net