Protecting our web services
The login page described earlier only protects our Markdown content, not our dynamic web services. If you know the resource names of the web services, you can still extract all sensor data and control the actuator output, unauthenticated. To avoid this, we need to add an authentication layer on top of our web services. We can do this by using JWT (Java Web Tokens). These tokens are simple strings that are cryptographically signed by a server, and that can be easily transported in any type of machine-to-machine communication where you want to avoid sessions and login forms. The server can then validate the token by checking the signature. By adding the Waher.Security.JWT.UWP
NuGet package to our SensorHttp
and ActuatorHttp
projects, we can use JWT to protect our web services.
Note
For .NET standard, .NET Core, or traditional .NET Framework projects, you can use the Waher.Security.JWT
NuGet instead.
Getting a session token
We begin by creating a token factory. It will...