Security
Last updated
Was this helpful?
Last updated
Was this helpful?
Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The Authorization refers to the process that determines what a user is allowed to do.
Authentication is the process of determining a user's identity.
Authorization is the process of determining whether a user has access to a resource.
role-based authorization
policy-based authorization
claims-based authorization
Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
Is not a security feature, CORS relaxes security. An API is not safer by allowing CORS.
There are three ways to enable CORS:
In middleware using a named policy or default policy.
var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options => {
options.AddPolicy(name: MyAllowSpecificOrigins, policy => { // named policy
policy.WithOrigins("http://example.com", "http://www.contoso.com")
.AllowAnyHeader()
.AllowAnyMethod();
});
options.AddDefaultPolicy(policy => { // default policy
policy.WithOrigins("http://example.com", "http://www.contoso.com");
});
});
// services.AddResponseCaching();
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCors(MyAllowSpecificOrigins); // using named policy
app.UseAuthorization();
app.MapControllers();
app.Run();
Using endpoint routing.
var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options => {
options.AddPolicy(name: MyAllowSpecificOrigins, policy => {
policy.WithOrigins("http://example.com", "http://www.contoso.com");
});
});
builder.Services.AddControllers();
builder.Services.AddRazorPages();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCors();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapGet("/echo",
context => context.Response.WriteAsync("echo"))
.RequireCors(MyAllowSpecificOrigins);
endpoints.MapControllers()
.RequireCors(MyAllowSpecificOrigins);
endpoints.MapGet("/echo2",
context => context.Response.WriteAsync("echo2"));
endpoints.MapRazorPages();
});
app.Run();
With the [EnableCors]
attribute.
[Route("api/[controller]")]
[ApiController]
public class WidgetController : ControllerBase
{
// GET api/values
[EnableCors("AnotherPolicy")]
[HttpGet]
public ActionResult<IEnumerable<string>> Get()
{
return new string[] { "green widget", "red widget" };
}
}
When you implement IValidateObject
, which language feature processes over the individual properties being validated?
C# Generator/Yield pattern