O'Reilly logo

RESTful .NET by Jon Flanders

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8. Securing REST Endpoints

Security is always an important consideration when you’re building any kind of system. This is certainly true when you’re building services, perhaps more so because of the nature of exposing endpoints that could be called using a variety of toolkits and protocols. Those who favor SOAP services (specifically the WS-* set of specifications) tend to look down upon the security of RESTful services. In truth, though, enterprises have much more experience managing security for web applications than they do for SOAP service endpoints. Because RESTful services are just HTTP endpoints, all of the security techniques (HTTPS, certificates, etc.) that have been used for years with web applications are the same techniques we use for REST. Although it is certainly true that REST services don’t support end-to-end security over multiple protocols (as the suite of WS-Security-related protocols allows), in the end are you really going to need that?

In this chapter, we’ll look at the out-of-the-box capabilities that WCF 3.5 provides for building secure services with REST. First, we’ll discuss how to authenticate users of your WCF web endpoints, and then I’ll delve into the several ways available to authorize users once they’ve been authenticated.

Authenticating: Self-Hosted Endpoints

The security of an endpoint is set using properties of WebHttpBinding. Before we dive into the security functionality WebHttpBinding, it’s important to digress for a moment and consider ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required