ASP. NET Web API Security

Source: Internet
Author: User
Tags support microsoft

The way to achieve security can be either host-provided or framework-provided.

1,http Module mode, which works on IIS, so the Web API is hosted on IIS. It acts on the most front-end of the HTTP pipeline, so this approach affects the global, blocking every request, and therefore insufficient elasticity.

2,owin Middleware, middleware is also a request interceptor, similar to HTTP Module, will intercept all requests, affecting the overall. It works on Owin pipeline (and therefore needs to meet the Owin standard Web server support, no longer relies on system.web), and the Web API 2 framework supports this approach. The benefit of middleware is that it can be common in different frameworks, such as MVC, while Owin is decoupled from the Web server (IIS), so middleware is available on either self-hosted or non-IIS. Of course also support Microsoft's own IIS, provided that (iis-integrated) ASP. NET pipeline, where the Host is actually a process, Owin program carrier, there are currently three kinds (iis/asp.net,Custom Host ,OwinHost.exe), the role of server is open a network socket, listen for requests, and send them through the pipeline of OWIN components specified by the user. There are currently two implementations of server Microsoft.Owin.Host.SystemWeb and Microsoft.Owin.Host.HttpListener

Reference: Http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana

3,message Handler, the first two are in the way that host provides, and the Message handler is provided by the Web API framework. He does not rely on host or server. However, the granularity of its action is not thin enough to be used only for global or specific routes.

Scope of Action Example:

 Public Static classwebapiconfig{ Public Static voidRegister (httpconfiguration config) {config. Routes.maphttproute (Name:"Route1", Routetemplate:"Api/{controller}/{id}", defaults:New{id =routeparameter.optional}); Config. Routes.maphttproute (Name:"Route2", Routetemplate:"Api2/{controller}/{id}", defaults:New{id =routeparameter.optional}, Constraints:NULL, handler:  New MessageHandler2 ()  //Per-route Message Handler, specific route        ); CONFIG. Messagehandlers.add (  New MessageHandler1 ());  //Global Message Handler, globally    }}

4,filter mode, which is similar to the MVC filter concept. Also provided by the Web API framework, do not rely on host or server, can be used for global, controller, action level.

Order of Request: First authenticated filter (authentication filters), then authorization filter (authorization filters)

For IIS, the request pipeline looks like this:

ASP. NET Web API Security

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.