If you are an ASP.NET developer, you are probably familiar with both membership and HTTP basic authentication. If you are familiar with IIS’s different authentication methods, you also know that the only way to use HTTP authentication on IIS to verify the credentials against the Windows account store. In this post, we’ll discuss how you can get IIS to use basic authentication against an ASP.NET Membership store.
The second question you should ask yourself, why would you want to do this? After all, basic authentication has some serious drawbacks, most namely that credentials are sent as plain text when you don’t use SSL, and you can’t force users to sign out due to HTTP’s stateless nature (most browsers cache the credentials until you close the browser window).
Next to that, there are also some benefits to using basic authentication in combination with IIS. Namely: it provides a generic interface for authentication supported by all clients that implement the HTTP protocol, using membership you can share credentials over several web applications. It is platform independent (it doesn’t matter if you use classic ASP, PHP, ASP.NET or anything else that runs on IIS).
So to be more concrete, how do we implement this feature? We implement an
System.Web.IHttpModule and handle the
AuthenticateRequest event. For more details on how to implement this, download the attachment to this post.
The module can be configured with the following options:
<authenticationSection xmlns="urn:BasicAuthenticationModule" enabled="true" realm="test"
<cache enableCache="false" cacheDurationMinutes="1"/>
<roles enableRoles="true" applicationRoleName="sample"/>
/authenticationSection/enabled defines to use the module or not
/authenticationSection/realm the text to be displayed in the login dialog
/authenticationSection/requireAuthentication allow both anonymous and authenticated users to login (your application logic can then handle these situations accordingly.
/authenticationSection/requireSsl if set to
true users can’t authenticated if the request wasn’t made over an https request
/authenticationSection/cache/cacheDuration the duration of the cache in minutes
/authenticationSection/roles/enableRoles enable your application to roles. This feature is useful when you share your membership database over several applications, you can then assign every application as a role, allowing you to configure to which applications a user has access.
/authenticationSection/roles/applicationRoleName - The name of the role/application that will be used to assign rights to users.
To start using the application, you have to either copy the .dll in the download to the bin folder or add the DLL to the Global Assembly Cache so that all your applications can use it in IIS. Next, you have to make sure you have the following sections included and configured in your web.config file:
enabled="true" realm="dex test"
connectionString="data source=.;Integrated Security=SSPI;
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5″ minRequiredPasswordLength="6″
passwordAttemptWindow="10″ applicationName="/" />
<validation validateIntegratedModeConfiguration="false" />
I’m assuming you already know how to setup the membership database. If not, you can find more information on the MSDN page on configuring membership.