Download
Introduction
Chapter 1: Welcome to ASP.NET Web API
We start of with understanding what a web API is in general before moving on to a primer on RESTful web API, followed by a review of how Microsoft’s ASP.NET Web API framework can help you build web APIs. We complete the chapter with a primer on security that looks at all aspects of security, above and beyond a login screen accepting a username and password, which for many people is the meaning of the word security.
Chapter 2: Building RESTful Services
An HTTP service that handles XML and/or JSON requests and responds to HTTP methods such as GET, POST, PUT, and DELETE is not necessarily a RESTful service. his chapter introduces you to Roy T. Fielding’s constraints that must be satisied for an HTTP service to be called RESTful and builds our irst web API, a simple Hello-World kind of API
Chapter 3: Extensibility Points
he ASP.NET Web API framework has various points of extensibility built into the web API pipeline for us to extend the processing pipeline. his chapter focuses on understanding the web API extensibility points such as ilters and message handlers from the point of view of leveraging the same for securing ASP.NET Web API to deal with threats at the earliest available opportunity. It also highlights the trade-ofs associated with selecting the web API extensibility point of a message handler over the ASP.NET extensibility point of the HTTP module for authentication and authorization.
Chapter 4: HTTP Anatomy and Security
his chapter introduces you to Hypertext Transfer Protocol (HTTP), the protocol behind the World Wide Web. Understanding HTTP is a prerequisite to understanding the security aspects of ASP.NET Web API. Instead of ighting against it or abstracting it away, web API embraces HTTP. For this reason, understanding HTTP is all the more important: A house is only as strong as its foundation! his chapter also covers some of the advanced concepts of HTTP, things that are a must to create production-grade, performant, secure web APIs such as Web Caching, ETags, Cross-Origin Resource Sharing (CORS), cookies, proxy servers, HTTPS, and the ultimate tool of HTTP debugging, Fiddler.
Chapter 5: Identity Management
Identity management is an important aspect of application security. In this chapter, we focus on how a subject or an entity gets authenticated and how the actions an entity attempts to perform are authorized by an application in the context of the .NET Framework. his chapter introduces you to the interfaces IIdentity and IPrincipal that form the basis of role-based access control (RBAC) and compares it with the more lexible and granular claims-based access control (CBAC), which is built based on the claims. Readers get to the take a irst peek at the security tokens and the three major formats: SAML, SWT, and JWT.
Chapter 6: Encryption and Signing
Windows Identity Foundation (WIF) hides away the nuts and bolts of tokens and lets the developers work with a set of claims without bothering about the aspects of cryptography. As we step out of the realm of WCF/WIF, securing RESTful ASP.NET Web APIs without depending on WIF classes for the cryptographic heavy lifting means understanding the nuts and bolts of encryption and signing. his chapter covers encryption and decryption and signing and validation using symmetric keys and asymmetric keys: public–private keys generated using RSACryptoServiceProvider as well as a self-signed certiicate generated using the Makecert tool.
Chapter 7: Custom STS through WIF
One of the key components in the WS-Trust scheme of things is Security Token Service (STS). WIF allows you to build your own custom STS, although it is highly recommended that you buy one instead of building one. his short chapter introduces you to WS-* protocols, speciically WS-Trust, and goes through the steps for creating a custom STS to enhance your understanding of STS and how STS creates and issues tokens.
Chapter 8: Knowledge Factors
A knowledge factor is something a user knows, such as a password or a PIN. his chapter explores the knowledge-factor authentication mechanisms that can be used to secure ASP.NET Web API. Login credentials of a user ID and password combination is probably the most widely used knowledge factor, and this chapter focuses on the mechanisms leveraging this factor: the two authentication schemes deined in HTTP speciication, namely basic and digest authentication, and the Windows-OS-powered Integrated Windows Authentication (IWA), more commonly known as Windows Authentication.
Chapter 9: Ownership Factors
An ownership factor is something a user owns or possesses, such as a key, a certiicate, or a token. his chapter examines ownership-factor authentication mechanisms for securing ASP.NET Web API, such as preshared keys (PSKs), more commonly called API keys, X.509 client certiicates, and SAML tokens.
Chapter 10: Web Tokens
his chapter is an extension of the previous chapter on ownership-factor security, for web tokens are ownership factors just like SAML tokens. However, web tokens deserve a chapter of their own because they are a better it for RESTful services. Hence, this chapter is dedicated to web tokens and takes an in-depth look at the two most popular web token formats by studying the anatomy of the Simple Web Token (SWT) and the JSON Web Token (JWT), including both signed (JWS) and encrypted (JWE) forms.
Chapter 11: OAuth 2.0 Using Live Connect API
OAuth 2.0 is an open standard for authorization. Roughly speaking, it can be considered the WS-* of the REST world. We start our exploration of OAuth 2.0, mainly from the point of view of a client consuming a web API that implements OAuth 2.0. We review the four types of grants and take a detailed look at implicit and authorization code-based grants using Microsoft Live Connect API.
Chapter 12: OAuth 2.0 from the Ground Up
In this chapter, we move to the other side of the table. Instead of focusing on a client that consumes an API, we now develop a web API implementing OAuth 2.0, speciically the authorization code-based grant. Implementation is performed from scratch using two ASP.NET MVC web applications so you can understand the nuts and bolts.
Chapter 13: OAuth 2.0 Using DotNetOpenAuth
Although it is possible to build on the OAuth 2.0 implementation from the previous chapter and develop your production-strength OAuth 2.0 implementation, this chapter implements the same authorization code-based grant using DotNetOpenAuth (DNOA), which is a well-established open source .NET library that helps you write production-grade OAuth 2.0–based authorization for your web API, in conformance to the principle of not reinventing the wheel.
Chapter 14: Two-Factor Authentication
When you have an authentication mechanism that leverages a combination of two of the knowledge, ownership, and inherence factors, it is called two-factor authentication (TFA or 2FA). his chapter covers TFA by leveraging the knowledge factor of a password, the ownership factor of an X.509 client certiicate, and TFA on a need basis realized through the use of TOTP codes provided by Google Authenticator.
Chapter 15: Security Vulnerabilities
his chapter looks at important and potential security risks or vulnerabilities, points of interest pertaining to ASP.NET Web API, and things to look out for while building a secure, production-strength ASP.NET Web API. he coverage includes the top risks, per OWASP 2013, as well as best practices such as logging and validation.
