问题描述

我有一个简单的问题，可能会指出一个复杂的答案：（

I have a simple question that may point out to a complicated answer :(

我有一个Web API，它工作正常。但现在我想建立认证/授权。
我需要它的工作在所有平台上，但主要是从jQuery的。当然，我并不想沿着纯文本的管道像这样把我的用户名和密码：

I have a web api which works fine. But now I want to set up Authentication/Authorization.I need it to work on all platforms, but mainly from jQuery. Naturally I don't want to send my username and password along the pipeline in plain text like this:

function GetAllCategories() {
    var credentials = $.base64.encode('r3plica:mypassword');
    var authType = "Basic " + credentials;

    $.ajax({
        url: "http://localhost:18904/api/Categories",
        type: "GET",
        beforeSend: function (xhr) {
            xhr.setRequestHeader("Authorization", authType);
        },
        success: function (data) {
            alert('Success!');
        },
        error: function () {
            alert('error');
        }
    });
}

所以我一直在寻找其他的替代品。
是用3条腿OAuth的唯一的选择？我希望只是一个查询字符串键/值传递给我的API，让那搞定一切，但我就是找不到这样一个循序渐进的过程。
一切都显得那么复杂。

so I have been looking at other alternatives.Is the only alternative to use 3 legged OAuth? I was hoping to just pass a query string key/value to my api and let that handle everything but I just can't find a step by step process for doing that.Everything seems so complicated.

所以，没有人知道我能做什么？我已阅读载荷和试图执行的东西负载。

So, does anyone know of anything I can do? I have read loads and tried to implement loads of stuff.

我设法得到这个工作：<一href=\"http://$c$cbetter.com/johnvpetersen/2012/04/04/moving-from-action-filters-to-message-handlers/\" rel=\"nofollow\">http://$c$cbetter.com/johnvpetersen/2012/04/04/moving-from-action-filters-to-message-handlers/
从我可以告诉虽然，你需要用你的公钥，然后API将解密使用的私钥，并授权您发送到API之前加密您的字符串（用户名）。

I managed to get this working: http://codebetter.com/johnvpetersen/2012/04/04/moving-from-action-filters-to-message-handlers/From what I can tell though, you need to encrypt your string (username) prior to sending to the api using your public key and then the api will decrypt using a private key and authorize you.

所以我的2个问题很简单：）

so my 2 questions are simple :)

1. 您可以用上面的链接，并从jQuery的调用容易（即不使用第三方库）


2. 如果没有，什么是去保护我的API，以便它可以直接从jQuery.ajax调用叫什么？最好的办法

只是为了澄清，我使用SSL的API

提前干杯，

/ r3plica

/r3plica

推荐答案

有关网站（用户可以查看到源$ C ​​$ c）我们通过PHP的AuthenticationToken生成，并把它转换为JavaScript。令牌每变化重新加载页面。

For Websites (where the user can look into the sourcecode) we generate through PHP an AuthenticationToken and put it into javascript. The token changes every page reload.

例如：

<script type="text/javascript">var authToken = '<?=genToken();?>'</script>
[...]
$.ajax( [..]
    beforeSend: function (xhr) {
        xhr.setRequestHeader("ownToken", authToken);
    },

和检查令牌Serverside集团。

and check that Token Serverside.

这篇关于从调用我的jQuery API网络安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！