Custom authentication

Discussion in 'ASP .Net Security' started by casper, May 12, 2005.

  1. casper

    casper Guest

    I'm building an application where external applications can download
    files from. The external application makes a webrequest with credential
    to my application. Before returning the file as a stream I need to
    check username and password of the request. Usernames/passwords are
    stored in a sql server.
    How do I retrieve the username and password from the webrequest?

    /casper
     
    casper, May 12, 2005
    #1
    1. Advertising

  2. The transport level security stuff is designed to work with Windows
    authentication, not custom authentication. It is intended to plug into the
    auth mechanisms supported by IIS, not custom protocols.

    That said, if you really must use the CredentialCache with HttpWebRequest,
    you will essentially want to implement your own Basic authentication
    protocol as you'll probably need plaintext passwords, right?

    Essentially, you would disable authentication in IIS (set to anonymous).
    Then, you would implement an HTTP module that handles the BeginRequest
    method and checks for the presense of a Basic authentication header. If one
    is not present, you would set the status code to 401 and add the proper
    www-authenticate header to the return response and call CompleteRequest.

    Then, in a separate event handler for the module (AuthenticateRequest), you
    would read the basic authentication header, extract user name and password
    and authenticate against your data source as appropriate. If the user is
    authenticated, you would create some kind of a GenericPrincipal for the user
    and associate it with the HttpContext.User property. If not, you would send
    it back again.

    Then, in web.config, you would set up authorization to only allow
    authenticated users, and you should be all set.

    I'd suggest reading up on basic authentication in the RFC spec and doing
    some network or http header sniffing so you can see how it works and what
    the headers look like.

    You will also need to decide whether to lockout accounts after too many bad
    password attempts and whether to allow more than X attempts to authenticate
    a certain user in a certain period of time. A lot of this depends on how
    secure you need this to be and how resistant to hacking you want to make it.

    Best of luck,

    Joe K.
    "casper" <> wrote in message
    news:...
    > I'm building an application where external applications can download
    > files from. The external application makes a webrequest with credential
    > to my application. Before returning the file as a stream I need to
    > check username and password of the request. Usernames/passwords are
    > stored in a sql server.
    > How do I retrieve the username and password from the webrequest?
    >
    > /casper
    >
     
    Joe Kaplan \(MVP - ADSI\), May 12, 2005
    #2
    1. Advertising

  3. casper

    casper Guest

    casper, May 13, 2005
    #3
  4. Good deal. Glad to help,

    Joe K.

    "casper" <> wrote in message
    news:...
    > Hi Joe,
    >
    > thanks for the answer, it helped me a lot.
    >
    > Based on your answer I found this site:
    > http://www.eggheadcafe.com/articles/20030701.asp
    > and solved the problem.
    >
    > Best regards
    > Casper
    >
     
    Joe Kaplan \(MVP - ADSI\), May 13, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    551
    Natty Gur
    Oct 21, 2003
  2. raj mandadi
    Replies:
    0
    Views:
    433
    raj mandadi
    Dec 22, 2003
  3. Brett Porter
    Replies:
    2
    Views:
    774
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  4. Mark
    Replies:
    0
    Views:
    679
  5. Brett Porter
    Replies:
    5
    Views:
    590
    Brett Porter
    Feb 3, 2004
Loading...

Share This Page