With such wide accessibility, securing your code effectively needs to be a top priority. You will quickly find that the WCF security protocols you’re familiar with from .NET are less suitable than they once were in this new environment, proving themselves cumbersome and limited in terms of the standards they can work with.
Fortunately, ASP.NET Web API provides a simple, robust security solution of its own that fits neatly within the ASP.NET MVC programming model and secures your code without the need for SOAP, meaning that there is no limit to the range of devices that it can work with – if it can understand HTTP, then it can be secured by Web API. These SOAP-less security techniques are the focus of this book.
Most helpful customer reviews
10 of 10 people found the following review helpful.
Great for anyone who wants to be more informed about securing anything that runs over HTTP
This is a fantastic and thorough book, which was exactly what I wanted.
Far and away, my favorite part about this book is the depth to which it explains the technologies that underlie both ASP.NET Web API (namely HTTP) and security, for example X.509 certificates, Federation services, hashing, digital signing and encryption. At every step of the way real code is presented to either use the facilities described or to implement the services in question (even though the implementations are sometimes just for illustration, and not full implementations of production quality systems).
I would flat-out recommend this book to anyone who needs or would like to learn about web technology security. Although you'll have to put up with a little Web API material you might not be specifically interested in, 90% of the book is relevant to all web programming. And even if you aren't interested much in Web API - read it cover to cover anyway. The essence of RESTful web services is leveraging the power of HTTP - which underlies most web related programming I've encountered. And even though the book doesn't specifically address technologies like JSON, CORS, ETags and Cookies, their role in web programming is illuminated though the context of securing Web API, which should help the reader understand these and other subject from a perspective not always addressed in other sources.
Let me stress - much of this book is not specific to Web API. In fact, if you only wanted to secure a web-enabled application of any type, most of this book applies to what you're trying to do. That having been said, if you do need to work on a Web API application, you'll find everything you need right here.
I can tell you that before reading this book, I had played with OAuth 2.0 to the point of even getting an application talking to LinkedIn. Now I understand what I was doing.
I recommend this book for anyone:
- Somewhat experienced with C#. You won't get anything out of the code samples unless you know C# to at least be able to read the syntax. The author explains the code samples extensively, so this isn't an absolute requirement, but it'll help you get the most out of the book.
- Interested in learning more in depth about web programming having done some.
- Interested in ASP.NET Web API, but willing to learn about the platform itself from other sources.
- Interested in computer security in general, or specifically in the securing of web applications (beyond even Web API).
- Interested in RESTful web services (although if you hate security, you won't find the bulk of the book to be useful).
- Thinking about integrating cloud type software with other software, and how you can go about providing authentication and authorization across the cloud boundaries.
I don't recommend this book for someone:
- Totally unfamiliar with C#.
- Completely new to web programming.
- Considering her/himself to be an expert on web security topics, and wants to become an expert Web API application designer. You won't be learning about how to put together a Web API, just how to secure it.
Negatives for the book:
The index isn't very good, or at least, after I read the book and I wanted to reread about a specific topic, I had to find it myself by context matching with the table of contents. The index never listed the items I wanted to review.
There is a lot of code. The author does as good a job as I've seen explaining what each snippet does and how it's important, but still there are a few places where page after page of code is presented. Still, my preference is to only get the really important lines of code so that I can focus on the topic at hand, and not have to mentally trace variables from method listing to method listing. Some folks might prefer it this way, but I think it muddies up an otherwise good read.
17 of 18 people found the following review helpful.
By Maximilian Alexander
This book is absolutely amazing and extremely well written and impressive in how much it covers. If you're not too familiar with web security, this book does a great job explaining the concepts and the reasoning behind modern web security from the ground up. Badri maintains a conversation as the book progresses from the basic of HTTP to token-based api security. The code samples are sure classic in many future projects not only because of how digestable they are but also based on the surrounding explanation. There is plenty of great code samples that are easily readable and formattable. The book shows implementations of windows identity foundation as well as TWO methods of implementing an OAuth 2.0 Resource & Authorization Server and how to use the access tokens to implement security in the ASP.NET Web Api.
Even if ASP.NET Web Api isn't your method of choice for creating JSON/XML and RESTful services, there is so much to take away from this book. It's an absolute buy and a pleasure to read.
1 of 1 people found the following review helpful.
See all 23 customer reviews...
Wow - talk about detailed
By Waylon Martinez
Great book, very detailed.
A wonderful overview of how to secure Asp.net Web API. I appreciated the ground up approach to the book. At first I felt like there was a lot of unrelated material being covered (because I was mainly interested in the OAuth 2.0 workflows), but in the end the material covered was so well put together - each chapter built on the previous chapter.
A very well written book - one of the top security books I have read recently.
Also I loved the addition of chapter 15 - a 2013 OWASP list of the top 10 security vulnerabilities and how they relate to ASP.NET Web API - I didn't see that coming a great way to end the book.