Web Security api: SSL?

Asked

Viewed 852 times

8

I wonder if you have how to restrict requests to a web api specifically for a machine.

My web api will be hosted on computer A.

My client (at first only one) will stay on the computer B.

Different servers, different machines.

There are ways I can filter the web api only to "respond" to the computer client B?

  1. Is it SSL? How does it work? Just install the certificate on the server and client? I need to handle the server-side request?
  2. It is very likely in the future to have a mobile application to query the same web api.. How to act in case you "release" the application requests?
  • @Downvoter: Please comment on what can be improved on the question, or indicate what is wrong with it so I can correct it.

  • See if this question help. Have a post do blog do Carlos Figueira no MSDN which explains how to filter calls using a certificate. I believe that to filter, the correct thing is to have a certificate, and filter the calls to allow only the calls that have this certificate.

  • SSL serves to encrypt the conversation between a client and a server in order to prevent data interception by third parties, as well as to assure the client that the server owns the private half of the key pair. Its purpose is to ensure the reliability and privacy of the information trafficked, not the restriction of access. This can be achieved through firewalls, HTTP server settings, or ideally with authentication methods as described in the answers below. One can use digital certificate authentication ("electronic signature"), but this is not the same as SSL.

3 answers

5


What you need to implement is authentication, mainly because you said that in the second moment you will have a mobile application.

With the mobile app you will no longer have control of who is the origin of the application. If you didn’t have a mobile app, maybe you could do the IIS restriction since the source domain is known and unique.

Use some of the versions of oAuth authentication, version 1.0 is very simple and fast to implement.

SSL does you no good in this scenario.

  • I understand that authentication is a good suggestion. However, I understand that the request can be intercepted, for example. A malicious guy can do that and get the login data, right? I’ve never used oAuth, I don’t know if it works that way but I imagine it does.. What do you suggest to avoid this? A layer of security does not solve this?

  • You will use SSL too, precisely to not be intercepted. My point is that SSL alone does not solve your problem, but rather authentication + SSL.

  • Boy...by his reply implied that for my case, SSL and "nothing" would be the same thing. So I wondered a little rsrs.. If you can revise your reply and give some examples.. will help a lot of people with the content :)

0

1 - SSL is the least you should have if you intend to expose an api to a client, but this is not very related to your problem.

2 - While you don’t have a mobile app consuming your api, you have some ways to restrict your customers' access through Ips configuring the IIS, through a Firewall or even through a digital certificate to establish communication with your api.

3 - When you have a mobile application consuming an api the scenario changes, there is no possible restriction by IP. One of the authentication standards used in this case is Oauth2:

0

I wonder if you have how to restrict requests to a web api specifically for a machine

Answer: Token per user

My recommendation: jwtSecurityTokenHandler,

And to have total control Voce needs to create a filter AuthorizeAttribute for a particular user.

[Authorize(Roles = "MaquinaA")]

Browser other questions tagged

You are not signed in. Login or sign up in order to post.