Security - Pipeline?

Topics: Web Api
Nov 2, 2010 at 11:28 AM

I'm wanting to implment a security toekn for users to pass from there browser for every request. This token will alter the items they would get returned with a query. e.g. /contacts/ would only return the contacts for this user.

using this framework where should I get started to do this. Would this be another context pipline or is there an easier way built in. And I aussme this would work with Acess control Service.

Scott

Nov 2, 2010 at 3:53 PM

Wouldn't it make more sense to identify this as a distinct resource, i.e. /user/12323/contacts  By doing this you enable the possibility of caching that response and/or using Etags. 

If you were to make a processor out of this, it would need to understand the concept of a "contact" in order to be able to filter them and that would reduce the potential for re-using the processor for different operations.  

An alternative approach might be to tag objects with some kind of ACL and then a generic processor could filter the objects based on the permissions of the user.  

 

Nov 2, 2010 at 3:59 PM

>>Wouldn't it make more sense to identify this as a distinct resource, i.e. /user/12323/contacts  By doing this you enable the possibility of caching that response and/or using Etags

Yes thats possible but we still need ti implement the security to say that you can't access my contacts. so only a valid user can see /user/12323/contacts. Almost every sample I see of rest tends to discount the security aspect that not all users can see everything.

 

 

 

Nov 2, 2010 at 7:16 PM

Ok gothca.  So it is completely feasible to add a processor that can pull the user id parameter out of the URI and compare that to the authenticated user.  If the users don't match then return a 401.  

Nov 2, 2010 at 8:15 PM
DarrelMiller wrote:

compare that to the authenticated user

Thats the crux. How should we authenticate users? And how would we use the access control service?

Coordinator
Nov 2, 2010 at 8:32 PM

Hey Scott

Authentication should not be handled in the pipeline. The place for auth / these type of security concerns should be the channels. As I mentioned in another thread we have a new HTTP specific channel model coming, but it is not there yet. It will be coming soon.

Glenn

Nov 3, 2010 at 2:35 AM

Are you actually going to do authentication in the channel model?  My experience with using HttpListener is that its http.sys that really want's to do authentication.  That's at a level that even before your stack gets involved.

Coordinator
Nov 4, 2010 at 8:13 AM

In WCF, channels is where we handle auth.

Glenn

Coordinator
Nov 4, 2010 at 8:13 AM

Channels sit right above http.sys if running in self-host.