Security Authentication in ASP. net mvc 4 web API-custom authrize Filter

Web APIs in ASP. NET mvc4 provide a good way to develop API interfaces. It can better adapt to the current cross-platform mobile development. I believe that many projects now use web services as interfaces to provide data. Well, the web API will be used to get rid of the life of the web service. Haha. Of course, I believe that WCF will be integrated into ASP. NET MVC in the near future.

 

Development provides data APIs. The most important thing is data security. Therefore, we need to think about how to ensure data security. No SOAP header. You can only use other methods. For example, oauth and HTTP Auth. This articleArticleWe will discuss with you how to use HTTP authentication. Then the oauth authentication scheme will be provided in the future ....

 

Statement: For old birds, the following articles may be useless to you, because they are basic HTTP Authentication knowledge.

 

Let's take a look at the examples provided on the ASP. net mvc Official Website:Http://code.msdn.microsoft.com/ASPNET-Web-API-JavaScript-d0d64dd7

Web API:

 

Form authentication is used by default. This is familiar to us. If you want to know how MVC implements monitoring form authentication, you can download the following MVCSource codeLook (I'm looking atCodeHeadache ). However, I can still understand this simple authentication part:

 

 

If you are using a cross-platform web API call, this authentication seems useless. You need to customize the authentication method. The simple method is to inherit the authorize class and override method onauthorization.

Assuming that we use basic HTTP authentication, the onauthorization method is implemented as follows:

 

Check whether authentication information exists in the HTTP request header, and then use base64 for decryption:

 

Come on, test in the browser: access the Controller with custombasicauthorize added. The Windows Authentication box is displayed. Enter the user name and password and follow up with fiddler:

 

 

 

 

 

 

HTTP request information:

 

The authentication information is encrypted, but it is useless. base64 encryption is too easy to crack. Therefore, this authentication method is suitable for internal systems of the company. If you really want to use it in the project, you can also use SSL.

 

The above Code does not provide the call code for Object-C or android.