mvc4 webapi vs controller security (authentication and authorization)

2
votes

I'm quite new to asp.net mvc webapi technologies.

Scenario: I'm desiging a mvc web application for enterprise. I'm aware that MVC controllers can have authorization and authentication via security attributes.

The web application shows various trends for household water consumption. The vision is to have this data accessible via mobile, tablets (you name it).

I'm wondering whehter WebAPI would be better off then controllers so that same API can be consumed by many devices.

Question: The question I've with webapi is the security. On web application once user logged in controller knows the user's security profile etc. In case of devices how would the security work? Should all the clients must pass credentials and if it is how is secruity handled on server? Should we create one service account and provide to each clients?

Thank you, not sure if I explained well.

1
asp.net-mvc-4asp.net-web-api
are you creating an api or a web app? you say that you will be creating an mvc web application. if that is the case then design your website so that it can be viewed by mobile devices. security and authorization are not an issue.c0deNinja
Thanks @c0deNinja, yes I'm creating web application. But would not mind to use JQuery to invoke WebAPI.Nil Pun
Do you still have a question? As Myagdi said it's realy not an issue to think about security in case of different device view. And attributes aren't the only to manage security in WebApi, i prefere DelegatingHandler whick is more likely with IOC.Denis Agarev

1 Answers

1
votes

MVC Security is an overlay of standard ASP.Net Authentication/Authorization. The AuthorizeAttribute indicates that the user must be authenticated to access this resource. It looks at the User IPrincipal for IsAuthenticated and Roles

So this then becomes an ASP.NET authentication solution.

User Authentication - Straightforward using any of the mentioned methods in the first article.

Device Authentication - No generic answer for this and there really isn't a true secure way of authenticating a device. You can identify the device by passing unique data (device Serial) in the URL or HTTP Header.