Click here to Skip to main content
15,860,972 members
Articles / Web Development / ASP.NET
Article

Basic authentication in ASP.NET against custom datasource

Rate me:
Please Sign up or sign in to vote.
4.52/5 (12 votes)
5 Jun 20063 min read 97.4K   1.9K   38   9
An alternate to basic authentication using IIS

Basic authentication in ASP.NET against custom datasource

Introduction

An alternate to forms authentication to authenticate user using database, you can use basic authenication (without adding user records to Active directory). I was wondering if it is possible to use IE’s (browser) built in login dialog box for my authentication when I saw it for the first time while learning SAMBA long year back. Trying to make it work, without IIS configuration in ASP classic. Then found an interesting topic on PHP basic authentication while googling. In PHP it has built in server variables for handling basic authentication.
Some whitepapers helped me lot learn the mechanism of this authentication. The day was the first successful day for me to do something by my own when I solved this with ASP. While having a vacation last week it came to my mind after seeing a passport login dialog of MSN and thought to migrate my old piece of code to ASP.NET by handling events in global.asax file. Finally found HttpModule the best way to implement it.

You are most welcome if you have a better idea. Please post your comments.

Background

Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.

Using the code

This works by sending 401 status code and response header WWW-Authenticate in order to pop up the browser login dialog box and validate the information sent as Base64 encoded during AuthenticateRequest event of application.

//Adding header for Credential request
Response.AddHeader("WWW-Authenticate","BASIC Realm=My Realm");

The base class for authentication handler is BaseAuthenticationModule. You should extend the Authenticate method of this class to implement you authentication logic which returns a GenericPrincipal object. You can still you favorite User.IsInRole() to use role based authorization.

<httpModules>
 <add name="santosh.web" type="santosh.web.SQLAuthentication,MyAuthentication" />
</httpModules>

Additionally as any other http module, you have to write a configuration element to register in web.config and deny unauthenticated users ? in authorization element. Rest is almost on you how you handle your authentication logic. Additionally you must not forget, this scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as clear text.

Points of Interest

By default the entire application get secured when we deny anonymous user access in the root web's authorization, where in place you may be intrested to secure only part of the application and allowing the root accessible to all. You can use location element in your web.config file to customise access control list. This is simply great a great feature to use declarative security in ASP.NET. Not only by user, you can restrict different parts of the application by roles as well. Implementing role based authorization with form based authentication mechanism is quite complex to handle. But you are enjoy the freedom of maintaining user accounts with Activedirectory especially while deploying with a public web hosting service.

<location path="Secured">
 <system.web>
  <authorization>
   <deny users="?"/>
  </authorization>
 </system.web>
</location>

Debugging becomes a problem while testing with this feature with visual studio. Instead you can attach process aspnet_wp.exe and invoke the page from your browser, the way I did.

This mechanism only works when IIS’s authentication is turned off and anonymous access is enabled. I got scared to see this not working while testing before publishing this article. I had accidentally enabled integrated authentication to debug other parts of the code. :)

In another article I have written to use it with Struts Action Servlet for J2EE based application.

History

Rfc for Basic authentication http://www.faqs.org/rfcs/rfc2617.html
An article to implement the same with PHP http://www.cascade.org.uk/software/php/auth/

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
India India
[MCSD, MCDBA]
I have been with IT since past 6+ years, working as software engineer for IBM Kolkata. .NET is the platform of my choice and coding with C# since its evolution. Please join .NETIndia http://groups.yahoo.com/group/dotnetindia group for more articles & .NET discussions.

Comments and Discussions

 
QuestionLicense Information Pin
Member 1029127122-Sep-13 22:29
Member 1029127122-Sep-13 22:29 
QuestionVS 2010 vs. IIS 7.5 Pin
Morteza M20-May-12 6:37
Morteza M20-May-12 6:37 
QuestionHow to use it with an asp:xmlDataSource control Pin
Erandav22-Dec-08 22:14
Erandav22-Dec-08 22:14 
QuestionDatabase usage Pin
Gokhan Mamaci1-Nov-08 13:44
professionalGokhan Mamaci1-Nov-08 13:44 
GeneralThank you Pin
kzyh12-Jul-07 15:32
kzyh12-Jul-07 15:32 
QuestionQuestion for you... Pin
Daniel Israel28-Mar-07 11:33
Daniel Israel28-Mar-07 11:33 
GeneralQuestion Pin
Lim2210230-Jun-06 14:14
Lim2210230-Jun-06 14:14 
How does it integrated with forms authentication?

This is a great article because I need to publish private RSS to registed users and I ahven't found a solution without IIS to do basic authetnication which most rss reader supports.

However, my application will be secured via forms auethentication. Only the RssFeed.aspx page will be secured via basic authentication. Will this solutin be feasibile?

I know I should try out the example myself but I'm hoping mabye you'll reply back before I can start a simple project myself. Smile | :)

Thanks
GeneralHmmm.... Pin
neil young13-Jun-06 10:10
neil young13-Jun-06 10:10 
GeneralRe: Hmmm.... Pin
Santosh K Sahoo15-Jun-06 4:17
Santosh K Sahoo15-Jun-06 4:17 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.