ASP. NET Web API Security

The way to achieve security can be either host-provided or framework-provided.

1,http Module mode, which works on IIS, so the Web API is hosted on IIS. It acts on the most front-end of the HTTP pipeline, so this approach affects the global, blocking every request, and therefore insufficient elasticity.

2,owin Middleware, middleware is also a request interceptor, similar to HTTP Module, will intercept all requests, affecting the overall. It works on Owin pipeline (and therefore needs to meet the Owin standard Web server support, no longer relies on system.web), and the Web API 2 framework supports this approach. The benefit of middleware is that it can be common in different frameworks, such as MVC, while Owin is decoupled from the Web server (IIS), so middleware is available on either self-hosted or non-IIS. Of course also support Microsoft's own IIS, provided that (iis-integrated) ASP. NET pipeline, where the Host is actually a process, Owin program carrier, there are currently three kinds (iis/asp.net,Custom Host ,OwinHost.exe), the role of server is open a network socket, listen for requests, and send them through the pipeline of OWIN components specified by the user. There are currently two implementations of server Microsoft.Owin.Host.SystemWeb and Microsoft.Owin.Host.HttpListener

Reference: Http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana

3,message Handler, the first two are in the way that host provides, and the Message handler is provided by the Web API framework. He does not rely on host or server. However, the granularity of its action is not thin enough to be used only for global or specific routes.

Scope of Action Example:

 Public Static classwebapiconfig{ Public Static voidRegister (httpconfiguration config) {config. Routes.maphttproute (Name:"Route1", Routetemplate:"Api/{controller}/{id}", defaults:New{id =routeparameter.optional}); Config. Routes.maphttproute (Name:"Route2", Routetemplate:"Api2/{controller}/{id}", defaults:New{id =routeparameter.optional}, Constraints:NULL, handler:  New MessageHandler2 ()  //Per-route Message Handler, specific route        ); CONFIG. Messagehandlers.add (  New MessageHandler1 ());  //Global Message Handler, globally    }}

4,filter mode, which is similar to the MVC filter concept. Also provided by the Web API framework, do not rely on host or server, can be used for global, controller, action level.

Order of Request: First authenticated filter (authentication filters), then authorization filter (authorization filters)

For IIS, the request pipeline looks like this:

ASP. NET Web API Security