Custom authentication

C

casper

I'm building an application where external applications can download
files from. The external application makes a webrequest with credential
to my application. Before returning the file as a stream I need to
check username and password of the request. Usernames/passwords are
stored in a sql server.
How do I retrieve the username and password from the webrequest?

/casper
 
J

Joe Kaplan \(MVP - ADSI\)

The transport level security stuff is designed to work with Windows
authentication, not custom authentication. It is intended to plug into the
auth mechanisms supported by IIS, not custom protocols.

That said, if you really must use the CredentialCache with HttpWebRequest,
you will essentially want to implement your own Basic authentication
protocol as you'll probably need plaintext passwords, right?

Essentially, you would disable authentication in IIS (set to anonymous).
Then, you would implement an HTTP module that handles the BeginRequest
method and checks for the presense of a Basic authentication header. If one
is not present, you would set the status code to 401 and add the proper
www-authenticate header to the return response and call CompleteRequest.

Then, in a separate event handler for the module (AuthenticateRequest), you
would read the basic authentication header, extract user name and password
and authenticate against your data source as appropriate. If the user is
authenticated, you would create some kind of a GenericPrincipal for the user
and associate it with the HttpContext.User property. If not, you would send
it back again.

Then, in web.config, you would set up authorization to only allow
authenticated users, and you should be all set.

I'd suggest reading up on basic authentication in the RFC spec and doing
some network or http header sniffing so you can see how it works and what
the headers look like.

You will also need to decide whether to lockout accounts after too many bad
password attempts and whether to allow more than X attempts to authenticate
a certain user in a certain period of time. A lot of this depends on how
secure you need this to be and how resistant to hacking you want to make it.

Best of luck,

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top