You are previewing Pro ASP.NET Web API Security: Securing ASP.NET Web API.
O'Reilly logo
Pro ASP.NET Web API Security: Securing ASP.NET Web API

Book Description

ASP.NET Web API is a key part of ASP.NET MVC 4 and the platform of choice for building RESTful services that can be accessed by a wide range of devices. Everything from JavaScript libraries to RIA plugins, RFID readers to smart phones can consume your services using platform-agnostic HTTP.

With such wide accessibility, securingyour code effectively needs to be a top priority. You will quickly find that the WCF security protocols you're familiar with from .NET (WS-* and similar)are less suitable than they once were in this new environment; proving themselves cumbersome and limited in terms of the standards they can work with.

Fortunately, ASP.NET Web API provides asimple robust security solution of its own that fits neatly within the ASP.NET MVC programming model and secures your code without the need for SOAP meaningthat there is no limit to the range of devices that it can work with – if it can understand HTTP then it can be secured by Web API. These SOAP-less security techniques are the focus of this book.

What you'll learn

  • Identity management and cryptography

  • HTTP basic and digest authentication and Windows authentication

  • HTTP advanced concepts such as web caching, ETag, and CORS

  • Ownership factors of API keys, client X.509 certificates, and SAML tokens

  • Simple Web Token (SWT) and signed and encrypted JSON Web Token (JWT)

  • OAuth 2.0 from the ground up using JWT as the bearer token

  • OAuth 2.0 authorization codes and implicit grants using DotNetOpenAuth

  • Two-factor authentication using Google Authenticator

  • OWASP Top Ten risks for 2013

Who this book is for

No prior experience of .NET-security is needed to read this book. All security related concepts will be introduced from first-principles and developed to the point where you can use them confidently in a professional environment. A goodworking knowledge and experience of C# and the .NET framework are the onlypre-requisites to benefit from this book.

Table of Contents

  1. Title Page
  2. Dedication
  3. Contents at a Glance
  4. Contents
  5. Foreword
  6. About the Author
  7. About the Technical Reviewer
  8. Acknowledgments
  9. Introduction
  10. CHAPTER 1: Welcome to ASP.NET Web API
    1. What Is a Web API, Anyway?
    2. A Primer on RESTful Web API
    3. Hello, ASP.NET Web API!
    4. WCF vs. ASP.NET Web API
    5. Scenarios in Which ASP.NET Web API Shines
    6. A Primer on Security
    7. Summary
  11. CHAPTER 2: Building RESTful Services
    1. What Is a RESTful Service?
    2. Identification of Resources
    3. Manipulation of Resources Through Representations
    4. Self-Descriptive Messages
    5. Hypermedia as the Engine of Application State
    6. Implementing and Consuming an ASP.NET Web API
    7. Our First Attempt in Securing a Web API
    8. Summary
  12. CHAPTER 3: Extensibility Points
    1. The What and Why of Extensibility Points
    2. ASP.NET Web API Life Cycle
    3. Filters
    4. Message Handlers
    5. HTTP Modules
    6. Summary
  13. CHAPTER 4: HTTP Anatomy and Security
    1. HTTP Transaction
    2. HTTP Request
    3. Request Headers
    4. HTTP Methods
    5. Method Overriding
    6. HTTP Response
    7. Status Codes
    8. Response Headers
    9. Response Body
    10. Web Caching
    11. Entity Tag
    12. Cross-Origin Resource Sharing
    13. HTTP Cookies
    14. Proxy Server
    15. HTTPS
    16. Fiddler: A Tool for Web Debugging
    17. Summary
  14. CHAPTER 5: Identity Management
    1. Authentication and Authorization
    2. Role-Based Security
    3. The Curious Case of Thread.CurrentPrincipal
    4. Claims-Based Security
    5. Using Claims-Based Security
    6. Implementing Claims-Based ASP.NET Web API
    7. Security Token
    8. Summary
  15. CHAPTER 6: Encryption and Signing
    1. Cryptography
    2. Encrypting a Message Using Symmetric Keys
    3. Signing a Message Using Symmetric Keys
    4. Encrypting a Message Using Asymmetric Keys
    5. Signing a Message Using Asymmetric Keys
    6. Token Encryption and Signing
    7. Summary
  16. CHAPTER 7: Custom STS through WIF
    1. WS-Trust
    2. Building a Custom STS
    3. Requesting a Token from a Custom STS
    4. Summary
  17. CHAPTER 8: Knowledge Factors
    1. Basic Authentication
    2. Digest Authentication
    3. Windows Authentication
    4. Summary
  18. CHAPTER 9: Ownership Factors
    1. Preshared Key
    2. X.509 Client Certificate
    3. SAML Tokens
    4. Summary
  19. CHAPTER 10: Web Tokens
    1. Simple Web Token
    2. JSON Web Token
    3. JWT Handler
    4. Summary
  20. CHAPTER 11: OAuth 2.0 Using Live Connect API
    1. Use Case for OAuth: App-to-App Data Sharing
    2. OAuth 2.0 Roles
    3. OAuth 2.0 Client Types
    4. OAuth 2.0 Client Profiles
    5. OAuth 2.0 Authorization Grant Types
    6. Access Token
    7. Refresh Token
    8. Using Live Connect APIs
    9. Summary
  21. CHAPTER 12: OAuth 2.0 from the Ground Up
    1. Scenario: Sharing Contact Information
    2. Design
    3. HTTP Transactions
    4. Building the Contacts Manager Application
    5. Building the Promotion Manager Application
    6. Building the Authorization Server
    7. Building the Resource Server
    8. Security Considerations
    9. Summary
  22. CHAPTER 13: OAuth 2.0 Using DotNetOpenAuth
    1. Design
    2. HTTP Transactions
    3. Implementation Ground Work
    4. Building the Client Application
    5. Building the Authorization Server
    6. Building the Resource Server
    7. Implicit Grant
    8. Summary
  23. CHAPTER 14: Two-Factor Authentication
    1. Two Ways to Implement TFA
    2. Implementing Blanket TFA with ASP.NET Web API
    3. Google Authenticator
    4. Implementing Constant Per-Request TFA
    5. Implementing On-Demand Per-Request TFA
    6. Two-Factor Security through Mobile Phones
    7. Summary
  24. CHAPTER 15: Security Vulnerabilities
    1. OWASP Application Security Risks
    2. Security = Hardware + Software + Process
    3. Logging, Auditing, and Tracing
    4. Input Validation
    5. Summary
  25. APPENDIX: ASP.NET Web API Security Distilled
  26. Index