Pro ASP.NET Web API Security: Securing ASP.NET Web API

Pro ASP.NET Web API Security: Securing ASP.NET Web API

by Badrinarayanan Lakshmiraghavan
Released March 2013
Publisher(s): Apress
ISBN: 9781430257820

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

ASP.NET Web API is a key part of ASP.NET MVC 4 and the platform of choice for building RESTful services that can be accessed by a wide range of devices. Everything from JavaScript libraries to RIA plugins, RFID readers to smart phones can consume your services using platform-agnostic HTTP.

With such wide accessibility, securingyour code effectively needs to be a top priority. You will quickly find that the WCF security protocols you're familiar with from .NET (WS-* and similar)are less suitable than they once were in this new environment; proving themselves cumbersome and limited in terms of the standards they can work with.

Fortunately, ASP.NET Web API provides asimple robust security solution of its own that fits neatly within the ASP.NET MVC programming model and secures your code without the need for SOAP meaningthat there is no limit to the range of devices that it can work with – if it can understand HTTP then it can be secured by Web API. These SOAP-less security techniques are the focus of this book.

What you'll learn

  • Identity management and cryptography

  • HTTP basic and digest authentication and Windows authentication

  • HTTP advanced concepts such as web caching, ETag, and CORS

  • Ownership factors of API keys, client X.509 certificates, and SAML tokens

  • Simple Web Token (SWT) and signed and encrypted JSON Web Token (JWT)

  • OAuth 2.0 from the ground up using JWT as the bearer token

  • OAuth 2.0 authorization codes and implicit grants using DotNetOpenAuth

  • Two-factor authentication using Google Authenticator

  • OWASP Top Ten risks for 2013

    • Who this book is for

    No prior experience of .NET-security is needed to read this book. All security related concepts will be introduced from first-principles and developed to the point where you can use them confidently in a professional environment. A goodworking knowledge and experience of C# and the .NET framework are the onlypre-requisites to benefit from this book.

    Table of contents

    1. Title Page
    2. Dedication
    3. Contents at a Glance
    4. Contents
    5. Foreword
    6. About the Author
    7. About the Technical Reviewer
    8. Acknowledgments
    9. Introduction
    10. CHAPTER 1: Welcome to ASP.NET Web API
      1. What Is a Web API, Anyway?
      2. A Primer on RESTful Web API
      3. Hello, ASP.NET Web API!
      4. WCF vs. ASP.NET Web API
      5. Scenarios in Which ASP.NET Web API Shines
      6. A Primer on Security
      7. Summary
    11. CHAPTER 2: Building RESTful Services
      1. What Is a RESTful Service?
      2. Identification of Resources
      3. Manipulation of Resources Through Representations
      4. Self-Descriptive Messages
      5. Hypermedia as the Engine of Application State
      6. Implementing and Consuming an ASP.NET Web API
      7. Our First Attempt in Securing a Web API
      8. Summary
    12. CHAPTER 3: Extensibility Points
      1. The What and Why of Extensibility Points
      2. ASP.NET Web API Life Cycle
      3. Filters
      4. Message Handlers
      5. HTTP Modules
      6. Summary
    13. CHAPTER 4: HTTP Anatomy and Security
      1. HTTP Transaction
      2. HTTP Request
      3. Request Headers
      4. HTTP Methods
      5. Method Overriding
      6. HTTP Response
      7. Status Codes
      8. Response Headers
      9. Response Body
      10. Web Caching
      11. Entity Tag
      12. Cross-Origin Resource Sharing
      13. HTTP Cookies
      14. Proxy Server
      15. HTTPS
      16. Fiddler: A Tool for Web Debugging
      17. Summary
    14. CHAPTER 5: Identity Management
      1. Authentication and Authorization
      2. Role-Based Security
      3. The Curious Case of Thread.CurrentPrincipal
      4. Claims-Based Security
      5. Using Claims-Based Security
      6. Implementing Claims-Based ASP.NET Web API
      7. Security Token
      8. Summary
    15. CHAPTER 6: Encryption and Signing
      1. Cryptography
      2. Encrypting a Message Using Symmetric Keys
      3. Signing a Message Using Symmetric Keys
      4. Encrypting a Message Using Asymmetric Keys
      5. Signing a Message Using Asymmetric Keys
      6. Token Encryption and Signing
      7. Summary
    16. CHAPTER 7: Custom STS through WIF
      1. WS-Trust
      2. Building a Custom STS
      3. Requesting a Token from a Custom STS
      4. Summary
    17. CHAPTER 8: Knowledge Factors
      1. Basic Authentication
      2. Digest Authentication
      3. Windows Authentication
      4. Summary
    18. CHAPTER 9: Ownership Factors
      1. Preshared Key
      2. X.509 Client Certificate
      3. SAML Tokens
      4. Summary
    19. CHAPTER 10: Web Tokens
      1. Simple Web Token
      2. JSON Web Token
      3. JWT Handler
      4. Summary
    20. CHAPTER 11: OAuth 2.0 Using Live Connect API
      1. Use Case for OAuth: App-to-App Data Sharing
      2. OAuth 2.0 Roles
      3. OAuth 2.0 Client Types
      4. OAuth 2.0 Client Profiles
      5. OAuth 2.0 Authorization Grant Types
      6. Access Token
      7. Refresh Token
      8. Using Live Connect APIs
      9. Summary
    21. CHAPTER 12: OAuth 2.0 from the Ground Up
      1. Scenario: Sharing Contact Information
      2. Design
      3. HTTP Transactions
      4. Building the Contacts Manager Application
      5. Building the Promotion Manager Application
      6. Building the Authorization Server
      7. Building the Resource Server
      8. Security Considerations
      9. Summary
    22. CHAPTER 13: OAuth 2.0 Using DotNetOpenAuth
      1. Design
      2. HTTP Transactions
      3. Implementation Ground Work
      4. Building the Client Application
      5. Building the Authorization Server
      6. Building the Resource Server
      7. Implicit Grant
      8. Summary
    23. CHAPTER 14: Two-Factor Authentication
      1. Two Ways to Implement TFA
      2. Implementing Blanket TFA with ASP.NET Web API
      3. Google Authenticator
      4. Implementing Constant Per-Request TFA
      5. Implementing On-Demand Per-Request TFA
      6. Two-Factor Security through Mobile Phones
      7. Summary
    24. CHAPTER 15: Security Vulnerabilities
      1. OWASP Application Security Risks
      2. Security = Hardware + Software + Process
      3. Logging, Auditing, and Tracing
      4. Input Validation
      5. Summary
    25. APPENDIX: ASP.NET Web API Security Distilled
    26. Index

    Product information

    • Title: Pro ASP.NET Web API Security: Securing ASP.NET Web API
    • Author(s): Badrinarayanan Lakshmiraghavan
    • Release date: March 2013
    • Publisher(s): Apress
    • ISBN: 9781430257820