Pro ASP.NET Web API Security

Foreword . .......................................................................................................................... xv
About the Author .............................................................................................................. xvii
About the Technical Reviewer . ......................................................................................... xix
Acknowledgments ............................................................................................................. xxi
Introduction . ................................................................................................................... xxiii
■Chapter 1: Welcome to ASP.NET Web API . .............................1 What Is a Web API, Anyway? .
......................................................................................................................................................1
A Primer on RESTful Web API ........................................................................................................3
Hello, ASP.NET Web API!.................................................................................................................4
WCF vs. ASP.NET Web API . ............................................................................................................4
Programming Model Differences ...........................................................................................................................5
Scenarios in Which ASP.NET Web API Shines ................................................................................6
A Primer on Security .....................................................................................................................8
Summary .....................................................................................................................................11
■Chapter 2: Building RESTful Services ....................................13 What Is a RESTful Service? .
....................................................................................................................................................13
Identification of Resources ..........................................................................................................14
Manipulation of Resources Through Representations .................................................................15
Self-Descriptive Messages ..........................................................................................................16
Scenario 1: JSON Representation . .......................................................................................................................17
Scenario 2: No Content Type . ...............................................................................................................................17
Scenario 3: XML Representation. .........................................................................................................................17
Scenario 4: Mix and Match . .................................................................................................................................18

Hypermedia as the Engine of Application State ..........................................................................18
Implementing and Consuming an ASP.NET Web API ....................................................................19
Our First Attempt in Securing a Web API .....................................................................................23
Summary .....................................................................................................................................28
■■Chapter 3: Extensibility Points ........................................................................................29
The What and Why of Extensibility Points ...................................................................................29
ASP.NET Web API Life Cycle .........................................................................................................30
Filters ..........................................................................................................................................32
Authorize Filter ....................................................................................................................................................32
Subclassed Authorize Filter ................................................................................................................................. 33
ActionFilter ..........................................................................................................................................................34
Message Handlers .......................................................................................................................34
HTTP Modules ............................................................................................................................38
Summary .....................................................................................................................................40
■■Chapter 4: HTTP Anatomy and Security ...........................................................................41
HTTP Transaction .........................................................................................................................41
HTTP Request ..............................................................................................................................42
Request Headers .........................................................................................................................43
HTTP Methods .............................................................................................................................43
Method Overriding ......................................................................................................................44
HTTP Response ...........................................................................................................................45
Status Codes ...............................................................................................................................46
The Curious Case of an Unhandled Exception ..................................................................................................... 47
Response Headers ......................................................................................................................48
Response Body ............................................................................................................................49
Web Caching ...............................................................................................................................50
Entity Tag ....................................................................................................................................53
Implementing ETag in ASP.NET Web API .............................................................................................................. 53
Testing ETag ActionFilter .....................................................................................................................................55

ETags for Managing Concurrency ........................................................................................................................ 57
Cross-Origin Resource Sharing ...................................................................................................59
Simple CORS ........................................................................................................................................................59
Preflighted Request .............................................................................................................................................63
HTTP Cookies ..............................................................................................................................66
Cookies and ASP.NET Web API ............................................................................................................................. 67
Proxy Server ................................................................................................................................70
HTTPS ..........................................................................................................................................71
Configuring HTTPS for ASP.NET Web API Hosted in IIS ........................................................................................ 73
Fiddler: A Tool for Web Debugging ...............................................................................................74
Capturing and Decrypting HTTPS Traffic .............................................................................................................. 75
Fiddler as Man-in-the-Middle .............................................................................................................................. 77
Summary .....................................................................................................................................79
■■Chapter 5: Identity Management .....................................................................................81
Authentication and Authorization ................................................................................................81
Role-Based Security ....................................................................................................................82
Identity and Principal ...........................................................................................................................................82
Using Generic Identity in a WinForms Application ............................................................................................... 83
Using Windows Identity in a Console Application ................................................................................................ 85
The Curious Case of Thread.CurrentPrincipal ..............................................................................87
Claims-Based Security ................................................................................................................88
Real-World Analogy .............................................................................................................................................89
Claims-Based Access Control vs. Role-Based Access Control ............................................................................ 90
Using Claims-Based Security ......................................................................................................90
Implementing Role-Based Access Control Using Claims ..................................................................................... 91
Implementing Claims-Based Access Control Using Claims ................................................................................. 92
Implementing Claims-Based ASP.NET Web API ...........................................................................94
Security Token .............................................................................................................................98
Token Formats .....................................................................................................................................................99
Summary ...................................................................................................................................101