ASP.NET Web API in Azure: Customize authentication filter to prevent brute force? -
I have found a website from the VS2013 SPA template (Web API 2.2) that is ASP.NET ID 2.1, and all Some really work well my controller methods look like this:
[authorized] Public API. Model Get the widget (int widget ID) {var requestingUserId = Int32.Parse (Microsoft.AspNet.Identity.IdentityExtensions.GetUserId (user.account)); ...} It works as expected:
- Unauthorized users are not granted access
- An authorized user After, I can get my User ID
but I now want to modify the application to stop the excessive API requests. I am planning to see if the particular user id has made certain requests within the stipulated time or not. I am looking for suggestions for the best place to do this. I do not want to repeat this argument in every controller, and it seems that the action filter can be the best place to place. But as this user need to read and I'm not sure the order of the filter is guaranteed, it is possible, if possible, to get the filter which is already being asked for authorization and my extra logic To add
I am thinking that someone can give an example of doing something like this? It seems that instead of "authorize" it will be in a custom authentication filter, and I'm not sure how I will add it.
Thanks for any suggestions ...
There are several filter options: Authorization Filters creates security decisions about executing an action method, such as executing certification or validating the properties of the request. Example: Public class WebApiAuthorizeAttribute: AuthorizeAttribute {Public Override Async Task onAffiliation Async (HTTPActionContactsAction Contact, Cancellation Token Cancellation) {base.OnAuthorization (ActionContacts); Guid userId = new Guid (HttpContext.Current.User.Identity.GetUserId ()); // ... your verification argument here}} Action filter operation method wraps the execution. This filter can do additional processing, such as providing extra data in the method of action, inspecting the return value or canceling the action method To reduce the effect on your server, You cache any HTTP request in the user browser for any previous time, if the user requests the same URL in that predetermined time then the browser instead of the server Answer As will be loaded. As the output cache attribute is not available for Web API, you can use or you can apply your own action filter feature for caching:
public category CacheFilterAttribute: ActionFilterAttribute {/// & lt; Summary & gt; Sets or sets the cache duration in /// seconds The default is ten seconds. /// & lt; / Summary & gt; /// & lt; Value & gt; Cash Period In Seconds & Lt; / Value & gt; Public Int Duration {Receive; Set; } Public cachefilterate () {duration = 10; } Public Override Zero on Action-Activated (Filter Exacted Contact Filter Contain) {If Returns (Duration & lt; = 0); HttpCachePolicyBase cache = filterContext.HttpContext.Response.Cache; Timespace Cash Debriefing = Timespan Framesconds (period); Cache.SetCacheability (HttpCacheability.Public); Cache.SetExpires (DateTime.Now.Add (cacheDuration)); Cache.SetMaxAge (cacheDuration); Cash AppendCacheExtension ("Mandatory-Certified, Proxy-Modify"); }} Additional thoughts Once the user calls against your web API, you can count on the counter and then Use this counter to view large numbers of calls with the same user within a time limit. The problem is where to store this counter.
If you store in the counter RDBMS such as SQL Server, then every user will display the call DB access. This can be a demonstration problem, this storage should be as light weight as possible. Therefore using NOKQL DB can be a good way.
Comments
Post a Comment