c# - Handling security in an ASP MVC application that uses JS to a REST API -


i have asp mvc4 web site. originally, of content served via controllers 1 expect. have moved data storage sql server mongodb. have added lot of ajax update data client side, without full refresh. working fine, controllers have lots of methods take json , return json. able build node.js server hits database , exposes same functionality, without lots of going , c#.

my javascript client-side calling node.js rest api, works great. 'secure' code (like adding new user) hits same rest api server side.

my question this: how can handle security this? have 3 scenarios:

  1. get api/messages: no need security, want expose site's messages interested via json rest api.
  2. get api/my/messages: need allow access if user logged in (it gets user's messages).
  3. post api/users: function should called server, , nothing else should able use it.

as user logging in asp website, how can use logged in credentials authenticate them rest service? while user logged in, pages client side hit regularly updates.

is there sensible/standard way this? core idea client side code uses rest api @ least partially open public, , in fact api offers of business logic - parts of (like creating user) locked down super-admins only.

thanks in advance!

create 2 authentication middleware handlers. 1 add "my" routes , add post routes.

the "my" authenticator takes asp.net auth cookie present in request , makes http call asp.net mvc site it.

you'll need action either returns 401 if cookie invalid otherwise returns info user's permissions perhaps.

if request node doesn't have cookie, return 401 again. in addition, prevent excessive calls mvc site check cookie, use cookiesession middleware set cookie on client flag of authenticated. result in 2 cookies client, shouldn't issue. make node 1 expire before aspx one.

the post authenticator middleware can use shared secret between node , mvc server. e.g. special header in request.


Comments

Post a Comment

Popular posts from this blog

How to mention the localhost in android -

i trying call localhost in android application. unfortunately not possible used several methods emulator local host http://10.0.2.2/android/dbconnection.php and network ip address http://192.168.1.xx/android/dbconnection.php also http://localhost:8080/android/dbconnection.php but nothing connected localhost. purpose refer stackoverflow answers not working i facing same problem when worked on localhost. referred stackoverflow answer got solution create new emulator works fine in new emulator.
Read more

php - Calling a template part from a post -

i include iframe within post in wordpress. located inside content of post, meaning cannot in post template file, otherwise either before or after. i'd add facebook plugin within posts: <div id="socialwrap"><div class="fb-like" data-href="http://onlinearizonahomes.info" data-send="true" data-width="450" data-show-faces="true" data-font="arial"></div></div> i thinking of calling template part within post <?php get_template_part( 'social' ); ?> cannot use php within post without plugin (i'd avoid using plugin this). an alternative using javascript create html in post, seems unnecessary use of javascript. what best way add html within wordpress post? you can use shortcode. add functions.php function cudjex_fbshare( $atts, $content = null ) { global $post; $link = get_permalink($post->id); return '<div id="socialwrap...
Read more