basic authentication by code -- help needed!!!

Discussion in 'ASP .Net Security' started by ami.turgman@gmail.com, Apr 2, 2007.

  1. Guest

    Hi,

    I'm working on a content pages web site engine which deifnes 2 types
    of security methods.
    some of the pages don't need authentication and can be accessed by
    everyone, while other pages (the same aspx page- different content)
    requires to have Basic Authentication, ie. having the popup window
    open at the client, authenticating him before he can view the content.
    this behavior is defined by configuration of each content page which
    is accessed programatically.

    the question- is there a way of having the basic authentication popup
    by code? i want to check the page's property, and if this is a basic
    authentication page, then i want the popup appear to the user...
    i searched and couldn't find anything about this anywhere, i would
    really appriciate any help regardng this

    Thanks in advance,
    Ami.
    , Apr 2, 2007
    #1
    1. Advertising

  2. IIS sends the necessary authentication headers to IE whenever he sees an
    HTTP 401 coming from ASP.NET - so yes - you could do:

    Response.StatusCode = 401;
    Request.CompleteRequest();

    have not compiled it - but should work ;)
    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi,
    >
    > I'm working on a content pages web site engine which deifnes 2 types
    > of security methods.
    > some of the pages don't need authentication and can be accessed by
    > everyone, while other pages (the same aspx page- different content)
    > requires to have Basic Authentication, ie. having the popup window
    > open at the client, authenticating him before he can view the content.
    > this behavior is defined by configuration of each content page which
    > is accessed programatically.
    > the question- is there a way of having the basic authentication popup
    > by code? i want to check the page's property, and if this is a basic
    > authentication page, then i want the popup appear to the user...
    > i searched and couldn't find anything about this anywhere, i would
    > really appriciate any help regardng this
    > Thanks in advance,
    > Ami.
    Dominick Baier, Apr 2, 2007
    #2
    1. Advertising

  3. Joe Kaplan Guest

    Server must also add a "WWW-Authenticate: Basic realm=xxxx" header so that
    the browser will know to respond with Basic auth. If client sends an
    authorization header, server must check for Basic auth request header,
    decode it properly and verify the credentials.

    If the credentials are going to be verified against Windows/AD, it is much
    more straightforward to just check the basic authentication checkbox and let
    IIS do all the work.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > IIS sends the necessary authentication headers to IE whenever he sees an
    > HTTP 401 coming from ASP.NET - so yes - you could do:
    >
    > Response.StatusCode = 401;
    > Request.CompleteRequest();
    >
    > have not compiled it - but should work ;)
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Hi,
    >>
    >> I'm working on a content pages web site engine which deifnes 2 types
    >> of security methods.
    >> some of the pages don't need authentication and can be accessed by
    >> everyone, while other pages (the same aspx page- different content)
    >> requires to have Basic Authentication, ie. having the popup window
    >> open at the client, authenticating him before he can view the content.
    >> this behavior is defined by configuration of each content page which
    >> is accessed programatically.
    >> the question- is there a way of having the basic authentication popup
    >> by code? i want to check the page's property, and if this is a basic
    >> authentication page, then i want the popup appear to the user...
    >> i searched and couldn't find anything about this anywhere, i would
    >> really appriciate any help regardng this
    >> Thanks in advance,
    >> Ami.

    >
    >
    Joe Kaplan, Apr 2, 2007
    #3
  4. i thought it is already configured like that:

    "while other pages (the same aspx page- different content)
    requires to have Basic Authentication, ie. having the popup window
    open at the client, authenticating him before he can view the content.
    this behavior is defined by configuration of each content page which
    is accessed programatically."


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Server must also add a "WWW-Authenticate: Basic realm=xxxx" header so
    > that the browser will know to respond with Basic auth. If client
    > sends an authorization header, server must check for Basic auth
    > request header, decode it properly and verify the credentials.
    >
    > If the credentials are going to be verified against Windows/AD, it is
    > much more straightforward to just check the basic authentication
    > checkbox and let IIS do all the work.
    >
    > Joe K.
    >
    Dominick Baier, Apr 2, 2007
    #4
  5. Joe Kaplan Guest

    I couldn't quite tell what he was doing based on what he said. I didn't
    know if he wanted to implement the whole basic auth protocol himself or some
    hybrid. If he has both anonymous and basic enabled in IIS, then sending a
    401 response may be adequate in this case. I've never actually tried that.
    :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    >i thought it is already configured like that:
    >
    > "while other pages (the same aspx page- different content)
    > requires to have Basic Authentication, ie. having the popup window
    > open at the client, authenticating him before he can view the content.
    > this behavior is defined by configuration of each content page which
    > is accessed programatically."
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Server must also add a "WWW-Authenticate: Basic realm=xxxx" header so
    >> that the browser will know to respond with Basic auth. If client
    >> sends an authorization header, server must check for Basic auth
    >> request header, decode it properly and verify the credentials.
    >>
    >> If the credentials are going to be verified against Windows/AD, it is
    >> much more straightforward to just check the basic authentication
    >> checkbox and let IIS do all the work.
    >>
    >> Joe K.
    >>

    >
    >
    Joe Kaplan, Apr 2, 2007
    #5
  6. well - thats exactly how the <authorization> element does its job...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I couldn't quite tell what he was doing based on what he said. I
    > didn't know if he wanted to implement the whole basic auth protocol
    > himself or some hybrid. If he has both anonymous and basic enabled in
    > IIS, then sending a 401 response may be adequate in this case. I've
    > never actually tried that. :)
    >
    > Joe K.
    >
    Dominick Baier, Apr 3, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brett Porter
    Replies:
    2
    Views:
    742
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  2. Mark
    Replies:
    0
    Views:
    665
  3. Brett Porter
    Replies:
    5
    Views:
    568
    Brett Porter
    Feb 3, 2004
  4. Dom
    Replies:
    0
    Views:
    445
  5. Dom
    Replies:
    0
    Views:
    485
Loading...

Share This Page