I have been challenged with the task 开发者_如何学JAVAof coming up with an authentication/authorization strategy for a pretty big WCF API. My task is to implement security on this API from clients who might be a website, a mobile app, or an internal/network admin user (which is pretty much the goal of any solid API).
I have looked into Windows Identity Foundation and federated security, but it relies on WS-* and my clients might be using REST or a non-SOAP protocol. So, my question:
Is there a security strategy (per method call, preferably using attributes) for WCF that does not rely on SOAP or involve reams of configuration files?
I realize there's probably no catch-all solution. I'm really looking for ideas or suggestions. This turns out to be a really tricky challenge.
Basic Authentication and HTTPS is a straightforward and "secure enough" solution for most API authentication requirements.
When you say "per method call", I'm getting the impression that are talking about authorization. For that you are probably going to have to roll something yourself. The upcoming Microsoft Web Api framework has some good extension points that will make this type of functionality much easier to implement. It shouldn't be too long before someone implements a reusable module for this framework that you can just plug in.
精彩评论