I am working on developing ASP.NET Core WEB API based microservices which will be consumed by multiple client applications like Angular app, iOS and Android app.
While looking on the security aspects of the microservices I do see that there is a need to prevent the microservices from XSRF attacks. On analysis I found that there is a way for ASP.NET Core MVC application as mentioned in the below URL:
https://andrewlock.net/automatically-validating-anti-forgery-tokens-in-asp-net-core-with-the-autovalidateantiforgerytokenattribute/
Can anyone help me to know is there any way to automatically validating anti-forgery tokens in ASP.NET Core WEB APIs?
Any links with some sample code will help me a lot.
Related
Background: We're creating an offer for an Xamarin app for a customer, which is using AEM to manage a lot of content. We are not experienced with AEM, therefore I have the task to find the possibilities regarding a Web connection and how deep into AEM we need to interfere, to get the desired data.
Usually, I would never ask such a general question here, but after some hours of research, I didn't find any hint regarding a public API:
I've started a chat with an Adobe employee, but he told me, that he
can't help me regarding technical questions
I've analyzed the AEM architcture, finding Sling being a Web API
(https://helpx.adobe.com/experience-manager/using/querying-experience-manager-sling.html), but it also just Java
I've also found AEM Assets (https://helpx.adobe.com/experience-manager/6-4/assets/user-guide.html),but analyzing it, it seems like this is more like a Web App on top of AEM
I've also found Web APIs in AEM Screens,
https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/developing-screens-rest-api.html, but the architecture here seems also very tightly coupled between the UI and the Web APIs
So, my question: Is there just no Web API at all? Or is one of the subproducts of AEM the endpoint, we could use to get data?
Based on the fact that you mentioned Xamarin I guess you are supposed to work on a mobile app.
You basically have four options, if you want to build that using AEM:
Use the Single Page Application (SPA) capabilities of AEM (requires AEM 6.4):
Use the (legacy) PhoneGap capabilities of AEM.
Use the out-of-the-box Sling APIs to expose the data you need and use them in your Xamarin app.
Write a custom (web service) API and use that in your Xamarin app.
I would strongly suggest to have a look at the SPA support or PhoneGap capabilities if you are not running AEM 6.4.
Working with the Sling API or building your own API is not the best option if you are new to AEM. There are so many pitfalls that will cause you a lot of headaches and you run the risk of creating an unmaintainable mess of an AEM project.
I am building RESTful web API for my ASP.NET MVC4 web application using ASP.NET WebAPI. I want to use OAuth 1.0 to provide authorization. I'm looking toward of DotNetOpenAuth library. Can anyone help me to understand how to use the service provider of this library with ASP.NET WebAPI?
I'm in a similar situation as you.
I would recommend you to take a look at Thinktecture's IdentityModel Authorization extensions for Web API (and MVC).
It's a open source project hosted on GitHub, with samples to take a look at as well.
You can also grab a lot of useful info from Dominick Baier's blog
Have you looked at the OAuthServiceProvider sample that comes with DotNetOpenAuth? It demonstrates a WCF service that is protected by OAuth 1.0.
We have a Spring web application created using Spring MVC 3.0 In the same application, we have created RESTful web services using Springs's REST API.
Now we need to secure those web services. How do we do this in spring? Can we use spring security for this? If not what are the other options?
Thanks.
It really depends on the level of security you want to impose. You could just use simple web.xml based access control with realms, usernames and passwords.
Security of your webservices is another matter. From the Spring Security FAQ:
Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the OWASP web site for information on the major issues facing web application developers and the countermeasures you can use against them.
Spring Security is certainly an option. It is for the most part, easy (nowadays) to integrate with Spring and has a flexible authentication module.
You should also consider Apache Shiro. A comparison to Spring Security question has already been answered - Shiro vs. SpringSecurity and Shiro also integrates nicely with Spring.
There are also some other questions already answered on this topic - How to secure a service REST with spring3? and Looking for a Simple Spring security example
I do not think there is a definitive answer to the question in it's current form, but I hope this helps all the same.
Good Afternoon,
I'm rebuilding an event ticketing site originally developed using ASP.NET 3.5 WebForms and am considering using ASP.NET MVC2 for the rebuilt solution. I like the idea of friendly URLs as the current site has very long query string URLs for each specified event. MVC2 also appeals from a separation of concerns point of view as well. The biggest unknown for me is will MVC2 handle calls to 3 separate web services (SOAP and REST) to get ticket availability? That is, does the controller functionality permit use of such web services? Finally, MVC3 is due to RTM in January. Am I better off waiting for MVC3, or can I start the project in MVC2 and port it later?
Thanks for all your advice and insight.
MVC can handle any HTTP request as ASP.NET forms does. Indeed you should consider to use WCF for handling SOAP queries. And yes, sure you can easely create REST API with MVC.
It is better to start now, with ASP.NET MVC 3 RC2. It is very stable and nice. This will minimize migration work. Welcome to MVC happy world!
The controller will let you run pretty much any code you want.
I just started using MVC in a big project and it's turning out well. We went with MVC 3 and it's been a little tricky living on the edge, but it seems to have a lot of nice improvements. I'm extremely happy to be using MVC instead of Web Forms. To me, it seems to flow smoothly instead of fighting with the way the web works.
We're investigating the iPhone Enterprise Developer Program as a way to develop and distribute in-house apps. Since our backends are all Windows, SQL server and Oracle databases, we have to find out a way to make our data available for the coming in-house apps.
As far as I know that Core Data is mainly based on SQLite as persistent store. I am not sure if there are any APIs available in iPhone SDK for SQL server or Oracle database? Another possibility, or very attractive strategy, is to build our own web-based REST services as CRUD gateway to our databases.
Personally, I prefer to integrate in-house apps with our ASP.NET based web services. I am not sure if this is possible. Are there any examples or documentations about this strategy?
an interesting option is to expose your data from your server using asp.net OData then use this project to generate a client in objective-C to consume your OData service.
As far as I am aware there are no approved API's to access a server based database. The way we do it in our organisation is pretty much the way you are suggesting. In some instances we are using SOAP but typically we just use a custom JSON or XML web service to access the data.
With regards to ASP.NET are you talking about making native iPhone Apps with ASP.NET or getting a native iPhone App to talk to an ASP.NET web service? If its the first then have a look at monotouch (don't know much about it), if its the later then this shouldn't cause issues. Just use NSURLConnection and deal with the resource structure on the App (be it JSON or XML).
The added advantage of using a web service rather than a straight database connection is that you get encryption for free using https.
Hope that helps
There's a product called SUP (Sybase Unwired Platform), it provides a framework to handle access to databases but has the advantage that there doesn't need to be an online access all the time, it stores persistent data locally and then can sync up with the host database using messaging.