Click here to Skip to main content
Click here to Skip to main content
Go to top

Usage of the client authorization in a ISAPI Extension

, 3 Aug 2004
Rate this:
Please Sign up or sign in to vote.
An article on how the authorization can be used in a ISAPI Extension.

Introduction

Normally, the ISAPI extension gets a request after the authentication was successful by the IIS engine. If there is, for example, a database connection, and you want to use a user input for username and password for the database connection, you will use a HTML Form to ask for that. Why not use the standard browser authorization dialog for that? Because, the database user is not a valid Windows user and authentication fails! OK, can be, but is it impossible to use it nevertheless? No, you must read on!

Background

In the ISAPI extension, we search for the HTTP_AUTHORIZATION header. If we do not find anything, we reject the request with "HTTP/1.1 401.5 Access Denied". The browser prompts for username and password. After the client has send us the authentication information, we can use a ISAPI Filter to catch the OnAuthentication event and set the username back to anonymous. What is the result? The IIS engine calls our extension as anonymous, but the HTTP_AUTHORIZATION header is still present, so we can use it. ;o) Great!

The code for the Filter

Put this in the OnAuthenticate method and define a constant with the name of your ISAPI extension DLL. Why? We would do this only if the user called our extension.

#define MODULNAME "myextension.dll"
// this is code for the Filter
if(!*pAuthent->pszUser)
{
    //
    //  Tell the server to notify any subsequent
    // notifications in the chain
    //
    return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
// retrieve the URL, so that we can look for our own extension 
char szURL[1024];
DWORD dwSize = sizeof(szURL);
if(pCtxt->GetServerVariable(HEADER_URL, szURL, &dwSize) == TRUE)
{
    if(strstr(_strlwr(szURL), MODULNAME) != 0)
    {
        // it is our own extension
        // clear all for reset to anonymous
        pAuthent->pszUser[0] = pAuthent->pszPassword[0] = '\0';
        return SF_STATUS_REQ_NEXT_NOTIFICATION;
    }
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;

The code for the Extension

Put this in your extension. We would do this only if the user called our extension. To decode the BASE64 encoded Username:Password, I used a class called Base64Coder found here.

static const TCHAR szAuthRequired[] = _T("HTTP/1.1 401.5 Access Denied\r\n
       WWW-Authenticate: Basic realm=\"my own realm\"\r\nContent-Length: 837\r\n
       Content-Type: text/html\r\n\r\n.....");
// this code for the Extension

CString m_strUserName;
CString m_strPassword;

char szAUTHORIZATION[1024] = "";
DWORD dwSize = sizeof(szAUTHORIZATION);
if(pCtxt->GetServerVariable("HTTP_AUTHORIZATION", 
              szAUTHORIZATION, &dwSize) == TRUE)
{
    if(strstr(szAUTHORIZATION, "Basic ") != NULL)
    {
        char szdecode[1024];
        char szdata[1024];
        char sztmp[1024];
        char *pdest;
        int  pos;
        Base64Coder  Coder;

        strcpy(szdecode, szAUTHORIZATION + 6);
        Coder.Decode(szdecode);
        strcpy(szdata, Coder.DecodedMessage());
        pdest = strstr(szdata, ":");
        pos = pdest - szdata + 1;

        if(pos <= 0)
        {
            SetLastError(ERROR_ACCESS_DENIED);
            pCtxt->m_bSendHeaders = FALSE;
            dwSize = strlen(szAuthRequired);
            pCtxt->WriteClient(szAuthRequired, &dwSize, 0);
        }else
        {
            strcpy(sztmp, szdata);
            sztmp[pos - 1] = '\0';
            m_strUserName = sztmp;
            strcpy(sztmp, szdata + pos);
            m_strPassword = sztmp;
            // now we know the username and the password and 
            // can use it for anything. If the values are not 
            // valid you can post a message or use the code to
            // post a access denied
        }
    }else
    {
        // we only support Basic authorization
    }
}

If you want, you can put the code for the filter and the extension in one DLL.

Important

This only works if basic authentication is active. I suggest to use it only in combination of SSL, so that the communication between IIS server and browser is encrypted.

Rules

// 
// Copyright (C) 2004 LEAN Software Production
// 
if((this == "nice") || (this == "great")) 
{ 
    pReponse->SetHeader(pfc, (char*) _T("great-stuff:"), (char*) _T("true"));
    return SF_STATUS_REQ_NEXT_NOTIFICATION; 
}else 
{
    CFile::Remove("myextension.dll");
    return SF_STATUS_REQ_ERROR; 
}

Please rate this article for me! You will find the rating down right.

History

Version: 1.0 - prepared for uploading.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Proxy4NT

Germany Germany
Interested about me, then ask

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web01 | 2.8.140916.1 | Last Updated 4 Aug 2004
Article Copyright 2004 by Proxy4NT
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid