2

I'm quite new to asp.net mvc webapi technologies.

Scenario: I'm desiging a mvc web application for enterprise. I'm aware that MVC controllers can have authorization and authentication via security attributes.

The web application shows various trends for household water consumption. The vision is to have this data accessible via mobile, tablets (you name it).

I'm wondering whehter WebAPI would be better off then controllers so that same API can be consumed by many devices.

Question: The question I've with webapi is the security. On web application once user logged in controller knows the user's security profile etc. In case of devices how would the security work? Should all the clients must pass credentials and if it is how is secruity handled on server? Should we create one service account and provide to each clients?

Thank you, not sure if I explained well.

Improve this question
3
  • are you creating an api or a web app? you say that you will be creating an mvc web application. if that is the case then design your website so that it can be viewed by mobile devices. security and authorization are not an issue. Commented Apr 29, 2012 at 10:07
  • Thanks @c0deNinja, yes I'm creating web application. But would not mind to use JQuery to invoke WebAPI. Commented Apr 29, 2012 at 10:14
  • Do you still have a question? As Myagdi said it's realy not an issue to think about security in case of different device view. And attributes aren't the only to manage security in WebApi, i prefere DelegatingHandler whick is more likely with IOC. Commented Jul 19, 2012 at 9:07

1 Answer 1

Reset to default
1

MVC Security is an overlay of standard ASP.Net Authentication/Authorization. The AuthorizeAttribute indicates that the user must be authenticated to access this resource. It looks at the User IPrincipal for IsAuthenticated and Roles

So this then becomes an ASP.NET authentication solution.

User Authentication - Straightforward using any of the mentioned methods in the first article.

Device Authentication - No generic answer for this and there really isn't a true secure way of authenticating a device. You can identify the device by passing unique data (device Serial) in the URL or HTTP Header.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.