Hello,
I have a www -> DMZ(web servers) -> Firewall -> Internal Network configuration. WebApi 2.0 services need to sit in my DMZ, but the WebApi reads and writes data from and to a SQL server in my internal network AND the authentication server resides in my internal network. The web api must handle authentication and authorization as well. I would imagine this is very common.
What is a good approach to this? Do I really need to duplicate the functions of my WebApi on both my web servers in DMZ and my internal network? Like this?..
1. Client makes request to web server WebApi
2. Web server makes request to Internal Network WebApi
3. Internal Network WebApi processes request and reads/write data to sql/auth servers and sends response back to web server WebApi
If I must do it this way, I was thinking about writing the public api to get the requests, pass them off to the internal api. But I just don't know how authentication would come into play here. Like how would token based security work? and Identity? To my api on internal servers, it would always look like the requests were coming from the Web Server and not the client. Could I pass entire request objects off to the internal api so the internal api could read the token headers and cookies of client's requests? Sounds like a lot of overhead and performance killing but sounds more secure than exposing an sql port or port to auth server.
I can imagine complicated ways of approaching this but I just wanted to get others' opinions and see if I am missing something.
My setup is not nearly as complicated as this: http://forums.asp.net/t/1959744.aspx?Securing+your+web+api+
And links like these:
http://msdn.microsoft.com/en-us/magazine/dn201748.aspx
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
don't really address server architecture and seemingly presume the webapi has direct access to auth and sql servers.
I have a www -> DMZ(web servers) -> Firewall -> Internal Network configuration. WebApi 2.0 services need to sit in my DMZ, but the WebApi reads and writes data from and to a SQL server in my internal network AND the authentication server resides in my internal network. The web api must handle authentication and authorization as well. I would imagine this is very common.
What is a good approach to this? Do I really need to duplicate the functions of my WebApi on both my web servers in DMZ and my internal network? Like this?..
1. Client makes request to web server WebApi
2. Web server makes request to Internal Network WebApi
3. Internal Network WebApi processes request and reads/write data to sql/auth servers and sends response back to web server WebApi
If I must do it this way, I was thinking about writing the public api to get the requests, pass them off to the internal api. But I just don't know how authentication would come into play here. Like how would token based security work? and Identity? To my api on internal servers, it would always look like the requests were coming from the Web Server and not the client. Could I pass entire request objects off to the internal api so the internal api could read the token headers and cookies of client's requests? Sounds like a lot of overhead and performance killing but sounds more secure than exposing an sql port or port to auth server.
I can imagine complicated ways of approaching this but I just wanted to get others' opinions and see if I am missing something.
My setup is not nearly as complicated as this: http://forums.asp.net/t/1959744.aspx?Securing+your+web+api+
And links like these:
http://msdn.microsoft.com/en-us/magazine/dn201748.aspx
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
don't really address server architecture and seemingly presume the webapi has direct access to auth and sql servers.