Authentication not working on HTTP-POST using NetworkCredential

Discussion in 'ASP .Net Web Services' started by Patrick Fogarty, Aug 25, 2003.

  1. I am programming what is to be a web service client that will use an
    HTTP-POST to request and retrieve data. The remote server (written in java
    for what it's worth) requires basic authentication as per RFC 2617
    (http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
    failing. The server requires the header to be present with the request.
    For security reasons, it will not reply in any way if the header is not
    present.

    More specifically, my attempts fail when attempting to attach a
    'NetworkCredential' object to the 'Credentials' property of a
    'HttpWebRequest' object. If I create the header manually, everything works
    fine. When attempting to do it 'the Microsoft Way' no authentication
    information is sent in the header, even if I set 'PreAuthenticate' = true.

    What am I missing? Below are two examples. Each has the code to send the
    request followed by the captured request header.


    - Patrick

    ------------------------------------------------------------
    << the code that fails >>

    (( assume reqBytes and SomeURI already set ))

    request = (HttpWebRequest) WebRequest.Create(SomeURI);

    request.PreAuthenticate = true;
    request.Credentials = new NetworkCredential("JoeBlow","MountainHo");

    request.Timeout = 20 * 1000;
    request.Method = "POST";
    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = reqBytes.Length;

    Stream reqStream = request
    reqStream.Write(reqBytes,0,reqBytes.Length);
    reqStream.Close();

    ------------------------------
    POST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1718
    Expect: 100-continue
    Connection: Keep-Alive
    Host: me:10000



    ------------------------------------------------------------
    << the code that works>>

    (( assume reqBytes and SomeURI already set ))

    request = (HttpWebRequest) WebRequest.Create(SomeURI);

    // 'GetManualAuthorization' written by me to generate RFC2617-compliant
    basic authentication header
    request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
    "MountainHo"));


    request.Timeout = 20 * 1000;
    request.Method = "POST";
    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = reqBytes.Length;

    Stream reqStream = request
    reqStream.Write(reqBytes,0,reqBytes.Length);
    reqStream.Close();

    ------------------------------
    POST / HTTP/1.1
    Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1718
    Expect: 100-continue
    Connection: Keep-Alive
    Host: me:10000
     
    Patrick Fogarty, Aug 25, 2003
    #1
    1. Advertising

  2. Patrick Fogarty

    Frank Drebin Guest

    I'm not saying this is the best way (I am wincing as I write this), but you
    could set the URL as:

    http://someuser:somepassword@myserver/somepage.aspx

    that's a quick way to handle basic authentication... sorry for the crappy
    post.. :eek:)

    "Patrick Fogarty" <> wrote in message
    news:...
    >
    > I am programming what is to be a web service client that will use an
    > HTTP-POST to request and retrieve data. The remote server (written in

    java
    > for what it's worth) requires basic authentication as per RFC 2617
    > (http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
    > failing. The server requires the header to be present with the request.
    > For security reasons, it will not reply in any way if the header is not
    > present.
    >
    > More specifically, my attempts fail when attempting to attach a
    > 'NetworkCredential' object to the 'Credentials' property of a
    > 'HttpWebRequest' object. If I create the header manually, everything

    works
    > fine. When attempting to do it 'the Microsoft Way' no authentication
    > information is sent in the header, even if I set 'PreAuthenticate' = true.
    >
    > What am I missing? Below are two examples. Each has the code to send the
    > request followed by the captured request header.
    >
    >
    > - Patrick
    >
    > ------------------------------------------------------------
    > << the code that fails >>
    >
    > (( assume reqBytes and SomeURI already set ))
    >
    > request = (HttpWebRequest) WebRequest.Create(SomeURI);
    >
    > request.PreAuthenticate = true;
    > request.Credentials = new NetworkCredential("JoeBlow","MountainHo");
    >
    > request.Timeout = 20 * 1000;
    > request.Method = "POST";
    > request.ContentType = "application/x-www-form-urlencoded";
    > request.ContentLength = reqBytes.Length;
    >
    > Stream reqStream = request
    > reqStream.Write(reqBytes,0,reqBytes.Length);
    > reqStream.Close();
    >
    > ------------------------------
    > POST / HTTP/1.1
    > Content-Type: application/x-www-form-urlencoded
    > Content-Length: 1718
    > Expect: 100-continue
    > Connection: Keep-Alive
    > Host: me:10000
    >
    >
    >
    > ------------------------------------------------------------
    > << the code that works>>
    >
    > (( assume reqBytes and SomeURI already set ))
    >
    > request = (HttpWebRequest) WebRequest.Create(SomeURI);
    >
    > // 'GetManualAuthorization' written by me to generate RFC2617-compliant
    > basic authentication header
    > request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
    > "MountainHo"));
    >
    >
    > request.Timeout = 20 * 1000;
    > request.Method = "POST";
    > request.ContentType = "application/x-www-form-urlencoded";
    > request.ContentLength = reqBytes.Length;
    >
    > Stream reqStream = request
    > reqStream.Write(reqBytes,0,reqBytes.Length);
    > reqStream.Close();
    >
    > ------------------------------
    > POST / HTTP/1.1
    > Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
    > Content-Type: application/x-www-form-urlencoded
    > Content-Length: 1718
    > Expect: 100-continue
    > Connection: Keep-Alive
    > Host: me:10000
    >
    >
    >
     
    Frank Drebin, Aug 25, 2003
    #2
    1. Advertising

  3. That will not work. The Authinfo from URLs is not used.

    Unfortunately the only way to get your situation to work is to add the
    authorization header manually. You can do this by doing a Convert.ToBase64()
    of username:password string. And add that as an authorization header to the
    base webrequest:

    string authorization = Convert.ToBase64String(username + ":" +
    password);
    request.Headers["Authorization"] = "basic " + authorization;

    The reason you have to do this is that HttpWebRequest will not send a
    credential unless the server challenges with a 401 first.

    --
    Remove "user" from the email address to reply to the author.

    This posting is provided "AS IS" with no warranties, and confers no rights

    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm




    "Frank Drebin" <> wrote in message
    news:Fcs2b.33228$...
    > I'm not saying this is the best way (I am wincing as I write this), but

    you
    > could set the URL as:
    >
    > http://someuser:somepassword@myserver/somepage.aspx
    >
    > that's a quick way to handle basic authentication... sorry for the crappy
    > post.. :eek:)
    >
    > "Patrick Fogarty" <> wrote in message
    > news:...
    > >
    > > I am programming what is to be a web service client that will use an
    > > HTTP-POST to request and retrieve data. The remote server (written in

    > java
    > > for what it's worth) requires basic authentication as per RFC 2617
    > > (http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate

    are
    > > failing. The server requires the header to be present with the request.
    > > For security reasons, it will not reply in any way if the header is not
    > > present.
    > >
    > > More specifically, my attempts fail when attempting to attach a
    > > 'NetworkCredential' object to the 'Credentials' property of a
    > > 'HttpWebRequest' object. If I create the header manually, everything

    > works
    > > fine. When attempting to do it 'the Microsoft Way' no authentication
    > > information is sent in the header, even if I set 'PreAuthenticate' =

    true.
    > >
    > > What am I missing? Below are two examples. Each has the code to send

    the
    > > request followed by the captured request header.
    > >
    > >
    > > - Patrick
    > >
    > > ------------------------------------------------------------
    > > << the code that fails >>
    > >
    > > (( assume reqBytes and SomeURI already set ))
    > >
    > > request = (HttpWebRequest) WebRequest.Create(SomeURI);
    > >
    > > request.PreAuthenticate = true;
    > > request.Credentials = new NetworkCredential("JoeBlow","MountainHo");
    > >
    > > request.Timeout = 20 * 1000;
    > > request.Method = "POST";
    > > request.ContentType = "application/x-www-form-urlencoded";
    > > request.ContentLength = reqBytes.Length;
    > >
    > > Stream reqStream = request
    > > reqStream.Write(reqBytes,0,reqBytes.Length);
    > > reqStream.Close();
    > >
    > > ------------------------------
    > > POST / HTTP/1.1
    > > Content-Type: application/x-www-form-urlencoded
    > > Content-Length: 1718
    > > Expect: 100-continue
    > > Connection: Keep-Alive
    > > Host: me:10000
    > >
    > >
    > >
    > > ------------------------------------------------------------
    > > << the code that works>>
    > >
    > > (( assume reqBytes and SomeURI already set ))
    > >
    > > request = (HttpWebRequest) WebRequest.Create(SomeURI);
    > >
    > > // 'GetManualAuthorization' written by me to generate RFC2617-compliant
    > > basic authentication header
    > > request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
    > > "MountainHo"));
    > >
    > >
    > > request.Timeout = 20 * 1000;
    > > request.Method = "POST";
    > > request.ContentType = "application/x-www-form-urlencoded";
    > > request.ContentLength = reqBytes.Length;
    > >
    > > Stream reqStream = request
    > > reqStream.Write(reqBytes,0,reqBytes.Length);
    > > reqStream.Close();
    > >
    > > ------------------------------
    > > POST / HTTP/1.1
    > > Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
    > > Content-Type: application/x-www-form-urlencoded
    > > Content-Length: 1718
    > > Expect: 100-continue
    > > Connection: Keep-Alive
    > > Host: me:10000
    > >
    > >
    > >

    >
    >
     
    Feroze [MSFT], Aug 27, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jay Douglas
    Replies:
    4
    Views:
    721
    Jay Douglas
    Mar 6, 2004
  2. IveCal

    NetworkCredential

    IveCal, Apr 17, 2006, in forum: Java
    Replies:
    6
    Views:
    4,282
    Oliver Wong
    Apr 20, 2006
  3. wgo
    Replies:
    0
    Views:
    187
  4. sorpor
    Replies:
    3
    Views:
    224
    Paul Glavich [MVP - ASP.NET]
    May 4, 2004
  5. Carlton858

    using System.Net.NetworkCredential class

    Carlton858, May 18, 2004, in forum: ASP .Net Security
    Replies:
    7
    Views:
    426
    Carlton Nettleton
    May 25, 2004
Loading...

Share This Page