I am making a choice between ASP.NET Web API and WCF.
I am not quite sure about the authentication part. Could some one shed some light on the differences?
I suppose there would be no actual difference under the hood. After all, the authenticaton mechanism refers to the HTTP request level on the ASP.NET engine integrated in IIS. It should have nothing to do with whether the module responding the specific HTTP request is implemented as an ASP.NET web page, WCF or Web API endpoint.
Nevertheless, there would be some differences in modelling and perhaps in configuration. WCF models the authentication mechanism as a "WCF authentication service" while Web API uses the normal security model of ASP.NET.
Use this WCF and ASP.NET security guide and this Web API security guides as a reference.
Hope I helped!
Related
I have a web application(HRMS) in asp.net MVC4 and a Windows Form (later on converted in windows service) connected to a biometric device. So question is should I use WCF Service or asp.net web api to send attendance data?
Thanks in advance
Go for ASP.NET Web API.
Use WCF to create reliable, secure web services that accessible over a
variety of transports. Use ASP.NET Web API to create HTTP-based
services that are accessible from a wide variety of clients. Use
ASP.NET Web API if you are creating and designing new REST-style
services. Although WCF provides some support for writing REST-style
services, the support for REST in ASP.NET Web API is more complete and
all future REST feature improvements will be made in ASP.NET Web API. If you have an existing WCF service and you want to expose
additional REST endpoints, use WCF and the WebHttpBinding.
Its better to stay with WebAPI as it looks to be more appropriate for building further real RESTfull service development. WCF was originally created to enable SOAP-based services. For simpler RESTful or RPCish services (think clients like jQuery) ASP.NET Web API should be good choice.
I'm working on segregating the authentication part of my ASP.net MVC4 application using DotNetOAuth 2.0, Which will means that one project will do only authentication and send out response,based on response it will have access to other application.
The Idea is to get any application or project added later on use one common authentication process.
First thing came to my mind was building a service, in the process a read a lot about Web API and think it can help to achieve what I'm looking for.
Please suggest if you guys have implemented something like this or whats's the best practice.
Should i go with API or service, any link or sample to direct is appreciated
ASP.NET Web API is also a service - a RESTful service. The choice of using a "Service" although is good your underlying authentication platform will define what you should be using.
WCF is much more than a web service where as a Web API is pure HTTP service.
If you expect all your "applications" to be web based then there is no reason why this cannot be a Web API.
This article might be something that should help you decide on your authentication model: http://www.asp.net/web-api/overview/security/external-authentication-services
I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.
I've been reading up about MVC 4 and was interested in the web API feature.
In what scenarios would it be advantageous to use web api over a WCF Http service?
Web API provides far more access to all aspects of the HTTP interaction. It was designed from the ground up around the HTTP spec. WCF is fine if you are just using HTTP to get through the firewall. If you really want to use HTTP as an application protocol, you will find Web API much easier.
I want to port an existing ASP.NET Web Service to WCF so the resulting Web Service (1) is RESTful, (2) uses JSON as its request/response format, (3) has a custom authentication mechanism.
After a lot of googling, random coding, and wanting to hit my head against the wall, I found that...
A webHttpBinding has to be used to make the Web Service RESTful. But...
webHttpBinding does not support HTTPS hosts.
webHttpBinding does not support UserName authentication.
webHttpBinding does not even support message security.
An endpoint behavior with <enableWebScript/> has to be used to support ASP.NET AJAX. But...
What is "ASP.NET" AJAX?
What if I want to consume the Web Service using "regular" AJAX?
And, most importantly...
Can WCF do what I want to do in first place?
If not, what other platforms could I use?
I've written WCF service that does both SOAP and REST with XML and JSON, and custom auth. I've pushed the custom authentication into HTTP module, which does basic auth over https. See Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008 and WCF POX, JSON and SOAP Coexist.
In the setup you describe, the web servier (i.e. IIS) will be responsible for encryption (HTTPS) and authentication (e.g. basic authentiction). IIS can be extended with a custom authentication mechanism (just google for "IIS module handler").
It's a bit strange that it has to be delegated to IIS and is not part of WCF. But it's no problem at all.