Custom Basic Authentication

[Pablo Montilla]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all, I want to be able to use Basic Authentication without the need
of specific accounts in my server machine. What I want is to be able to get
the browser sent user and password, and use that to do custom
authentication (checking them with a database, etc.).

Is that possible? The only thing I can do manually is to request the popup,
but the AUTH_USER and AUTH_PASSWORD never get to me (I think IIS is simply
trying to authenticate, and its never returning to my app).

Any help, very appreciated.

Regards,
Pablo
- --
Remember, drive defensively! And of course, the best defense is a good
offense!


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQCFEz76KEogX0AkqEQK05ACgqVsJwrkXDKSNg+EB8N5YC/47xNYAnRvb
gxJTvkyUMdh06SPuqwfQ84yP
=XOY5
-----END PGP SIGNATURE-----

 

[Joe Kaplan \(MVP - ADSI\)]

You should be able to do this with an HttpModule without too much trouble.

Essentially, you would want IIS set to anonymous (Basic unchecked) so that
it wouldn't try to process the headers. Then, you would just look for the
HTTP_AUTHORIZATION header on each request.

If the header was there, you would parse it out to get the user name and
password and perform your authentication as needed. If the header was not
there, you would just set the correct www-authenticate header.

I think the code might look something like this, but I haven't tested this:

authHeader = req.ServerVariables("HTTP_AUTHORIZATION")
realm = req.Url.Host

If (authHeader Is Nothing OrElse authHeader.Equals(String.Empty)) Then
challengeHeader = String.Format("Basic realm=""{0}""", realm)
res.AddHeader("www-authenticate", challengeHeader)
res.StatusCode = 401
'might want to stick some HTML in the response too...
con.ApplicationInstance.CompleteRequest()
Else
'parse out the header and authenticate
End If

HTH,

Joe K.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all, I want to be able to use Basic Authentication without the need
of specific accounts in my server machine. What I want is to be able to get
the browser sent user and password, and use that to do custom
authentication (checking them with a database, etc.).

Is that possible? The only thing I can do manually is to request the popup,
but the AUTH_USER and AUTH_PASSWORD never get to me (I think IIS is simply
trying to authenticate, and its never returning to my app).

Any help, very appreciated.

Regards,
Pablo
- --
Remember, drive defensively! And of course, the best defense is a good
offense!


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQCFEz76KEogX0AkqEQK05ACgqVsJwrkXDKSNg+EB8N5YC/47xNYAnRvb
gxJTvkyUMdh06SPuqwfQ84yP
=XOY5
-----END PGP SIGNATURE-----

 

[Pablo Montilla]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for your answer, I've tried using a custom HttpModule and handling
the Application_Authenticate event, but while I receive the event whenever
I input a valid Windows account, I never receive it if I use whatever
username and password (the ones I want to authenticate in a custom way).

I've tried different combinations of the flags for the authentication
methods, but none had worked. Am I missing something?

Anyway, thanks for your reply,
Pablo
- --
If you share a path with an elephant, no matter who stumbles, you lose.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQCzvcL6KEogX0AkqEQJdMgCgvavD0OjD0wRH3+njBHQToCxpDPkAnjva
W0Drs5oubyq3WcI0IKshBTNt
=aXdy
-----END PGP SIGNATURE-----

 

[Pablo Montilla]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Obviously I didn't tried enough, I've removed all but anonymous and it
works like charm.

Many, many thanks,
Pablo
- --
If at first you don't exceed, try, try again.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQCz1dL6KEogX0AkqEQL+6QCg+KhMOiK23vCEJKMJ9P7DIHeCZl8Ani1n
Z7564VWsT5bz00ggiudWDY2/
=Aqto
-----END PGP SIGNATURE-----