2

I've been reading different articles on the subject of securing WebAPI, including:

leastprivilege article

kevin junghans article

piotr walat's article

and many others.

I would like to use the MVC 4.NET SPA template (with either Backbone.js or another JS lib) and I'd like to secure WebAPI used by SPA with basic http authentication, using tokens in the headers because some of the WebAPI clients will not support cookies required by forms authentication.

The SPA template uses SimpleMembership and oauth, which I would like to use and combine with basic http authentication.

What's unclear to me is whether the SPA template out-of-the-box authenticate and authorize WebAPI with basic HTTP authentication and tokens, or do I have to follow and piece this together from the links above?

Improve this question

1 Answer 1

Reset to default
0

This is quite a large topic and its best to completely understand it before simply plugging in templates.

Here is a great video to help put everything in place: https://vimeo.com/43603474

You must be using SSL for any token based authentication (like oAuth)

Once the user is authenticated - via oAuth or your own membership provider, you can simply attribute any Web Api methods with [Authorize] to ensure that a non-authenticated user can't call those methods (will return a 401 - not authorized if not authenticated)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.