WebAPI Identity authentication Solution--phenix.net Enterprise application software rapid development platform. User Guide. 21.WebAPI Service (i)

Source: Internet
Author: User
Tags sql injection attack

WEBAPI Service

The ASP. NET Web API, a lightweight network services framework that Microsoft has launched on the 4.5, is a new, stand-alone platform development framework that supports multiple (including mobile) client access, although as part of ASP. Ideal for development of web platform applications.

Phenixヾ provides a comprehensive data service for the implementation of the cross-platform application system based on the ASP. NET WEB API Service framework and its own business framework (package CSLA), and provides accessibility functions such as identity authentication, authorization authentication and so on for service access.

21.1 Starting the Service

Phenixヾ 's Webapi service needs to run in the. NET Framework 4.6 Environment, the framework files are stored in the "\bin.net4.6" directory, and if needed, start the service program phenix.services.host.x86/x64 in this directory. Exe.

When you start, you will see the following prompt stating that the service is ready:

21.2 Configuring services

The WEBAPI service provides the following configuration parameters:

L WEB API HTTP Port: The default value is 8080.

The maximum number of concurrent httprequestmessage instances that can be processed at any given time (will actually be multiplied by the number of CPU cores): The default value is 100.

L HTTP Request header additional authentication name value: The default value is "Phenix-authorization".

L HTTP request header append override client HTTP proxy limit (some HTTP proxies do not support arbitrary HTTP methods (such as "PUT", "DELETE") alternative to the name value: The default value is "X-http-method-override".

L HTTP cross-domain access switch: The list of resources allowed to be accessed (comma separated), with "*" for all allow: The default value is "*".

See:

The remaining parameters do not provide a configuration interface, please go directly to config file configuration:

In general, the default configuration can be taken, otherwise the client will have to make corresponding adjustments. The Phenix.Web.Client project provided by Phenixヾ uses the default configuration.

21.3 Identity Verification

Putting your application on the Internet is the first thing to consider security issues. After evaluating the existing mainstream solutions, to take into account the cross-platform environmental requirements and ease the development of application systems, Phenixヾ designed security solutions at the application level, mainly taking into account the following security issues:

L Password confidentiality.

L Avoid fake attacks.

L Avoid replay attacks.

L SQL injection attack.

To ensure that the user's password is not compromised, the most basic requirement is that it cannot be transmitted in clear text in the exchange of data between the client and the server. As long as the password is saved by the user and the system, we can use the password as the key of the symmetric encryption message method. For example, the transfer of headers, data and other information appropriately encrypted, it can be used to verify whether the data is from the authorized sender.

21.3.1 Password Confidentiality processing

When the user registers, the initial password, regardless of who generated it, needs to be passed on to each other to keep the password consistent (with the same key).

Phenixヾ recommended application system to use the user's mailbox or the user's mobile phone and other third-party communication means to pass the initial password. Generally, the system automatically generates an initial password to the user, which is logged into the system by the user with the initial password:

In this process, Phenixヾ provides a new user interface function for the Application System authorization module development for invocation:

Phenix.Core.Data.DefaultDatabase.ExecuteOle (Phenix.Core.Security.DataSecurityHub.AddUser, email address, user name, initial password)

Because this function is directly manipulating the database, the caller code needs to be written on the server.

Similarly, if the user forgets the login password, you can do the same with the user name and email address to reset the password:

Phenixヾ also provides an interface function to update the login password for this process to invoke:

Phenix.Core.Data.DefaultDatabase.ExecuteOle (Phenix.Core.Security.DataSecurityHub.ChangePassword, user name, initial password)

Similarly, the calling code runs on the server.

The implementation of the authorization module in the above scenario requires the application system to design and develop itself to match its own application scenarios.

21.3.2 protection against counterfeit and heavy attacks

In order to protect against counterfeit and heavy attacks, Phenixヾ requires clients to include nonce, timestamp, signature in the header of the message. Where the nonce is a random number, timestamp is a timestamp, signature is the Nonce + timestamp do AES encrypted string, AES encryption with the key and IV is the user's login password (MD5 hashing algorithm processing).

The design approach is a bit complicated to explain, and it's better to look at the code directly for easier comprehension. Here is the code for AJAX to automatically add an authentication ("Phenix-authorization") header to the header each time the message is sent, excerpted from the "Phenix.test. User Guide. 21.3.html":

$user =

{

Usernumber: "",

Password: ""

};

$.ajaxsetup ({

Beforesend:function (XMLHttpRequest) {

JQuery.support.cors = true;

var nonce = Math.Round (Math.random () * 999999999999999);

var timestamp = new Date (). toisostring ();

var key = cryptojs.md5 ($user. Password);

Xmlhttprequest.setrequestheader ("Phenix-authorization",

$user. Usernumber + "," + Nonce + "," + timestamp + "," +

CryptoJS.AES.encrypt (nonce + timestamp, key, {iv:key, Mode:CryptoJS.mode.CBC}));

}

});

Note: In the actual scenario, please cache the username and password locally, and the password must not be uploaded to the server. For browser apps, the sensitive data passed when the page jumps between pages is also not available through the server.

The corresponding Phenix.Web.Client.DLL project also has similar code in its HttpClient class:

<summary>

Sends an HTTP request to the internal manager to send to the server in an asynchronous operation

</summary>

public override task

{

Identity authentication format: [usernumber],[nonce],[timestamp],[signature = Encrypt (Password, Nonce+timestamp)]

String nonce = Guid.NewGuid (). ToString (); Other random number forms are also allowed, as long as there is no repetition within a logon to logoff cycle

DateTime timestamp = DateTime.Now;

Request. Headers.add (Phenix.Web.Client.Properties.Settings.Default.WebAuthHeaderName,

String.Format ("{0},{1},{2},{3}", _usernumber, nonce, timestamp, Rijndaelcryptotextprovider.encrypt (_password, nonce + timestamp));

Return base. SendAsync (Request, CancellationToken);

}

Available "phenix.test. Use guide. 21.3" Project debugging look at the effect:

Other operating environments and development languages can interact with Phenixヾ 's WEBAPI services as long as they are written in accordance with the above design methodology. (Follow-up will be completed in other languages of the test case)

21.3.3 Basic Operation function

Phenixヾ 's identity authentication Service provides the following basic operational functions:

Function

Type

Uri

Parameters

Login

POST

Api/datasecurity

usernumber=[User Name]

Modify Login Password

PUT

Api/datasecurity

usernumber=[User name]&encryptednewpassword=[encrypted new password]

Log out

DELETE

Api/datasecurity

usernumber=[User Name]

The following code extracts from the "Phenix.test. Usage guide. 21.3.html", passed the test on Internet Explorer one-by-one web browser.

21.3.3.1 Login

function LogOn (usernumber, password) {

$user. Usernumber = Usernumber;

$user. Password = password;

$.ajax ({

Type: "POST",

URL: "http://localhost:8080/api/DataSecurity?userNumber=" + Usernumber,

DataType: "JSON",

ContentType: "Application/json;charset=utf-8",

Data: {},

Complete:function (XMLHttpRequest, Textstatus) {

if (xmlhttprequest.status = = = 200)

Alert ("Login successful! Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

else if (xmlhttprequest.status = = = 401)

Alert ("Invalid login! Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

Else

Alert ("Login failed! Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

}

});

}

21.3.3.2 Changing the login password

function ChangePassword (usernumber, password, newpassword) {

$user. Usernumber = Usernumber;

$user. Password = password;

var key = cryptojs.md5 (password);

$.ajax ({

Type: "PUT",

URL: "http://localhost:8080/api/DataSecurity?userNumber=" + Usernumber +

"&encryptednewpassword=" + CryptoJS.AES.encrypt (NewPassword, key, {iv:key, Mode:CryptoJS.mode.CBC}),

DataType: "JSON",

ContentType: "Application/json;charset=utf-8",

Data: {},

Complete:function (XMLHttpRequest, Textstatus) {

if (xmlhttprequest.status = = = 200)

Alert ("Modify login password successfully!") Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

Else

Alert ("Failed to modify login password!") Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

}

});

}

21.3.3.3 Log Out

function LogOff (usernumber) {

$.ajax ({

Type: "DELETE",

URL: "http://localhost:8080/api/DataSecurity?userNumber=" + Usernumber,

DataType: "JSON",

ContentType: "Application/json;charset=utf-8",

Data: {},

Complete:function (XMLHttpRequest, Textstatus) {

if (xmlhttprequest.status = = = 200)

Alert ("Log out success!") Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

Else

Alert ("Log out failed!") Status: "+ Xmlhttprequest.statustext +", Response: "+ Xmlhttprequest.responsetext);

}

});

}

21.3.3.4 Trial Effect

WebAPI Identity authentication Solution--phenix.net Enterprise application software rapid development platform. User Guide. 21.WebAPI Service (i)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.