I am developing a project in Angular 4.0 and using c#.net web API as back-end.
Problem is, When I am running my application through browser, I am able to see web service call (get/post) through "Postman Interceptor". Which is not good for security. Is there any way to secure my webAPI call so that it will not be visible in "Postmatser" or fiddler like tool?
Is there any way to secure my webAPI call so that it will not be visible in [Postman or Fiddler]?
No. You're issuing requests from the browser. This means they will come from the visitor's pc, and everything that happens there can be intercepted by them.
You don't need obscurity, you need authentication.
Related
I am working on combination of Web API application and desktop client program (WPF). I am using Microsoft.AspNet.WebApi.Client for a client-server HTTP communication and now I want to use authorization / authentication system of the server application to authorize user of the client program.
Point is, I want to use (=start with) the same HttpClient class, I would like to use ASP.NET Identity library on server side - call controller with credentials in HTTP header, receive actual token from server, keep it and than use it for authentication in other controllers where it is required.
I know the theory, some basic steps, but I have not found any useful and actual resource with a simple examples or tutorial how to do it well. Does anyone know about good resource to learn, how to do that?
Thanks a lot.
I have been scratching my head how to solve the issue described below.
So, the company where I work uses Visual Studio Team Services (was Visual Studio Online), and it is integrated/connected to our AD, meaning that If I log in to my workstation I can log in to Team Services without authenticating myself, like SSO.
I'm going to create an application which communicates to Team Services via Team Services SOAP and WebApi clients and here is the problem. I need a user to be able to communicate with Team Services and doing stuff (reading data, creating work items, creating test suits, etc.). I see little chance to convince IT to create a user only for this. They going to reject my request due to security risks.
The application architecture looks this:
browser: angularjs application, spa, calling only the WebApi service
server: WebApi service, which is responsible to communicate with Team Services and transforming data back and forth between the client and Team Services.
database: persisting data for later analysis
There is an idea in my mind, where I can get somehow the windows credentials from the OS and push it down to the server which uses it to communicate with Team Services. In Team Services, we will see that the particular user did things.
The question, how is possible that? The articles I have found searching for something similar, always mention .Net MVC app where I need to modify the web.config in order to get the credentials. But, in my architecture there is no .Net MVC app running on local machines. There is only a SPA running in browsers.
Or my architecture is not fit for this purpose? Shall I rework it and using MVC app to be able to get the credentials and working with them? But, the question still stands, how can I pass the credentials through the calls calling Team Services?
Do you know blog entries dealing with cases like above?
Thanks for any help in advance!
I think you have a bit of confusion over your terms. The SPA (Single Page App) has javascript code delivered by the server to the browser that calls the .NET WebApi code. In order to get the browser to use Kerberos/Windows Authentication you need to add
<system.web>
<authentication mode="Windows" />
</system.web>
to your web.config on the server where the .NET app is running (under IIS).
From here...
http://www.asp.net/web-api/overview/security/integrated-windows-authentication
"On the client side, Integrated Windows authentication works with any browser that supports the Negotiate authentication scheme, which includes most major browsers. For .NET client applications, the HttpClient class supports Windows authentication:"
Then the browser will do the rest for you and the HttpContext.CurrentUser in the .NET code on the server will be set to the windows user of the clients browser.
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.
I have an Https Web API hosted in Azure.
Now if I am making a call from console application, will the POST/GET data be passed in encrypted form or will I need to do anything in the console app?>
the reason I am asking is that if I use Fiddler, can see the data in clear text. Of course decrypt HTTPS traffic is checked
Similarly if the Web api is consumed from Android mobile app, does the app need to do anything to ensure that the traffic cannot be sniffed?
I am new to Https and security. Any help or pointer will be of immense help
I'd recommend making your Web API only accessible by HTTPS. And then, make sure that yoru Android app uses HTTPS. Also, ensure that if your Android app is presented with an invalid certificate that it will stop running and not send any data.
HTTPS should basically handle everything from a sniffing/MITM point of view. However, you must still have a secure authentication mechanism and such as well.
Good old Microsoft documentation at it's finest. Does anyone know of any resources that explains how to deploy Web Api with Asp.net Web Forms application. I have the web api in a separate class library and I call using jquery. I don't want anonymous users to be able to access this service only the application. Do I want to use self hosted? How do I lock the service down? Awesome examples showing how to use, tons of videos but nothing on deployment.
You don't have the right architecture for what you are describing, but what you have is right.
If you are calling web services from the client side (using jquery) then your web service must be public facing.
What you are describing is a web or WCF service in a service oriented architecture. That service would most likely live on a different server and be on an internal network, etc. Even if it's on the same server your requirement is that it is not publicly accessible - thus none of your jquery would work since that request is being initiated by the user and users can only make requests to public facing services.
The comments about using forms authentication to protect your service calls are right. jQuery will include the forms authentication cookie for you when it makes AJAX calls so you shouldn't have to change much on the client side.