Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Custom authentication

Reply
Thread Tools

Custom authentication

 
 
casper
Guest
Posts: n/a
 
      05-12-2005
I'm building an application where external applications can download
files from. The external application makes a webrequest with credential
to my application. Before returning the file as a stream I need to
check username and password of the request. Usernames/passwords are
stored in a sql server.
How do I retrieve the username and password from the webrequest?

/casper

 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      05-12-2005
The transport level security stuff is designed to work with Windows
authentication, not custom authentication. It is intended to plug into the
auth mechanisms supported by IIS, not custom protocols.

That said, if you really must use the CredentialCache with HttpWebRequest,
you will essentially want to implement your own Basic authentication
protocol as you'll probably need plaintext passwords, right?

Essentially, you would disable authentication in IIS (set to anonymous).
Then, you would implement an HTTP module that handles the BeginRequest
method and checks for the presense of a Basic authentication header. If one
is not present, you would set the status code to 401 and add the proper
www-authenticate header to the return response and call CompleteRequest.

Then, in a separate event handler for the module (AuthenticateRequest), you
would read the basic authentication header, extract user name and password
and authenticate against your data source as appropriate. If the user is
authenticated, you would create some kind of a GenericPrincipal for the user
and associate it with the HttpContext.User property. If not, you would send
it back again.

Then, in web.config, you would set up authorization to only allow
authenticated users, and you should be all set.

I'd suggest reading up on basic authentication in the RFC spec and doing
some network or http header sniffing so you can see how it works and what
the headers look like.

You will also need to decide whether to lockout accounts after too many bad
password attempts and whether to allow more than X attempts to authenticate
a certain user in a certain period of time. A lot of this depends on how
secure you need this to be and how resistant to hacking you want to make it.

Best of luck,

Joe K.
"casper" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I'm building an application where external applications can download
> files from. The external application makes a webrequest with credential
> to my application. Before returning the file as a stream I need to
> check username and password of the request. Usernames/passwords are
> stored in a sql server.
> How do I retrieve the username and password from the webrequest?
>
> /casper
>



 
Reply With Quote
 
 
 
 
casper
Guest
Posts: n/a
 
      05-13-2005
Hi Joe,

thanks for the answer, it helped me a lot.

Based on your answer I found this site:
http://www.eggheadcafe.com/articles/20030701.asp
and solved the problem.

Best regards
Casper

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      05-13-2005
Good deal. Glad to help,

Joe K.

"casper" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi Joe,
>
> thanks for the answer, it helped me a lot.
>
> Based on your answer I found this site:
> http://www.eggheadcafe.com/articles/20030701.asp
> and solved the problem.
>
> Best regards
> Casper
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed Authentication, Status "Unsupported Authentication Algorithm" Rafael Cisco 1 11-26-2004 03:57 PM
Basic Authentication v. Integrated Windows Authentication w/ Delegation Mark ASP .Net 0 01-20-2004 03:13 PM
ASP.Net Forms authentication with basic authentication popup Brett Porter ASP .Net 2 01-20-2004 02:17 PM
Moving from Baisc Authentication to Forms Authentication raj mandadi ASP .Net 0 12-22-2003 12:16 AM
Forms Authentication, external authentication server, & rerouting to orig. req. URL Andrew Connell ASP .Net 1 10-21-2003 05:41 PM



Advertisments