Security in ASP.NET Web Api (Urgent) RRS feed

  • Question

  • We have a services built using ASP.NET Web API that can be accessed from any client like, web client, Andriod application, etc. We are using tokens to authenticate and authorize access to resources. Note that the web browser passes the authentication ticket on all subsequent requests that are part of the same session to the web server. We want to implement a security strategy by allowing anonymous method to be ONLY accessible from known applications. In other words DENY all request to anonymous methods from unauthorized applications.

    Now, if someone knows/hacks the security token he or she can access the services - how do we prevent this? Also, the call to a particular service should come from a valid source i.e., we should be able to identify and authenticate the call and also from which platform the call has been made and then only grant access. The challenge that we are facing is that because we would have to provide anonymous access and that HTTP is text based, the token can be easily accessed. We are looking at some sort of authentication token using HMAC , api keys / secret keys or a combination of them.
    Friday, October 25, 2013 2:21 PM