Click here to Skip to main content
Click here to Skip to main content

Basic authentication in ASP.NET against custom datasource

, 5 Jun 2006
Rate this:
Please Sign up or sign in to vote.
An alternate to basic authentication using IIS

Basic authentication in ASP.NET against custom datasource

<!------------------------------- STEP 3 ---------------------------><!-- Add the article text. Please use simple formatting (

,

etc) -->Introduction

An alternate to forms authentication to authenticate user using database, you can use basic authenication (without adding user records to Active directory). I was wondering if it is possible to use IE’s (browser) built in login dialog box for my authentication when I saw it for the first time while learning SAMBA long year back. Trying to make it work, without IIS configuration in ASP classic. Then found an interesting topic on PHP basic authentication while googling. In PHP it has built in server variables for handling basic authentication.
Some whitepapers helped me lot learn the mechanism of this authentication. The day was the first successful day for me to do something by my own when I solved this with ASP. While having a vacation last week it came to my mind after seeing a passport login dialog of MSN and thought to migrate my old piece of code to ASP.NET by handling events in global.asax file. Finally found HttpModule the best way to implement it.

You are most welcome if you have a better idea. Please post your comments.

Background

Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.

Using the code

This works by sending 401 status code and response header WWW-Authenticate in order to pop up the browser login dialog box and validate the information sent as Base64 encoded during AuthenticateRequest event of application.

//Adding header for Credential request
Response.AddHeader("WWW-Authenticate","BASIC Realm=My Realm");

The base class for authentication handler is BaseAuthenticationModule. You should extend the Authenticate method of this class to implement you authentication logic which returns a GenericPrincipal object. You can still you favorite User.IsInRole() to use role based authorization.

<httpModules>
 <add name="santosh.web" type="santosh.web.SQLAuthentication,MyAuthentication" />
</httpModules>

Additionally as any other http module, you have to write a configuration element to register in web.config and deny unauthenticated users ? in authorization element. Rest is almost on you how you handle your authentication logic. Additionally you must not forget, this scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as clear text.

Points of Interest

By default the entire application get secured when we deny anonymous user access in the root web's authorization, where in place you may be intrested to secure only part of the application and allowing the root accessible to all. You can use location element in your web.config file to customise access control list. This is simply great a great feature to use declarative security in ASP.NET. Not only by user, you can restrict different parts of the application by roles as well. Implementing role based authorization with form based authentication mechanism is quite complex to handle. But you are enjoy the freedom of maintaining user accounts with Activedirectory especially while deploying with a public web hosting service.

<location path="Secured">
 <system.web>
  <authorization>
   <deny users="?"/>
  </authorization>
 </system.web>
</location>

Debugging becomes a problem while testing with this feature with visual studio. Instead you can attach process aspnet_wp.exe and invoke the page from your browser, the way I did.

This mechanism only works when IIS’s authentication is turned off and anonymous access is enabled. I got scared to see this not working while testing before publishing this article. I had accidentally enabled integrated authentication to debug other parts of the code. Smile | :)

In another article I have written to use it with Struts Action Servlet for J2EE based application.

History

Rfc for Basic authentication http://www.faqs.org/rfcs/rfc2617.html
An article to implement the same with PHP http://www.cascade.org.uk/software/php/auth/

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Santosh K Sahoo
Web Developer
India India
[MCSD, MCDBA]
I have been with IT since past 6+ years, working as software engineer for IBM Kolkata. .NET is the platform of my choice and coding with C# since its evolution. Please join .NETIndia http://groups.yahoo.com/group/dotnetindia group for more articles & .NET discussions.

Comments and Discussions

 
GeneralThank you Pinmemberkzyh12-Jul-07 15:32 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web03 | 2.8.141022.2 | Last Updated 5 Jun 2006
Article Copyright 2006 by Santosh K Sahoo
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid