Introduction
An alternate to forms authentication to authenticate user using database, you can use basic authenication (without adding user records to Active directory). I was wondering if it is possible to use IE�s (browser) built in login dialog box for my authentication when I saw it for the first time while learning SAMBA long year back. Trying to make it work, without IIS configuration in ASP classic. Then found an interesting topic on PHP basic authentication while googling. In PHP it has built in server variables for handling basic authentication.
Some whitepapers helped me lot learn the mechanism of this authentication. The day was the first successful day for me to do something by my own when I solved this with ASP. While having a vacation last week it came to my mind after seeing a passport login dialog of MSN and thought to migrate my old piece of code to ASP.NET by handling events in global.asax file. Finally found HttpModule the best way to implement it.
You are most welcome if you have a better idea. Please post your comments.
Background
Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.
Using the code
This works by sending 401 status code and response header WWW-Authenticate in order to pop up the browser login dialog box and validate the information sent as Base64 encoded during AuthenticateRequest event of application.
Response.AddHeader("WWW-Authenticate","BASIC Realm=My Realm");
The base class for authentication handler is BaseAuthenticationModule. You should extend the Authenticate method of this class to implement you authentication logic which returns a GenericPrincipal object. You can still you favorite User.IsInRole() to use role based authorization.
<httpModules>
<add name="santosh.web" type="santosh.web.SQLAuthentication,MyAuthentication" />
</httpModules>
Additionally as any other http module, you have to write a configuration element to register in web.config and deny unauthenticated users ? in authorization element. Rest is almost on you how you handle your authentication logic. Additionally you must not forget, this scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as clear text.
Points of Interest
By default the entire application get secured when we deny anonymous user access in the root web's authorization, where in place you may be intrested to secure only part of the application and allowing the root accessible to all. You can use location element in your web.config file to customise access control list. This is simply great a great feature to use declarative security in ASP.NET. Not only by user, you can restrict different parts of the application by roles as well. Implementing role based authorization with form based authentication mechanism is quite complex to handle. But you are enjoy the freedom of maintaining user accounts with Activedirectory especially while deploying with a public web hosting service.
<location path="Secured">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Debugging becomes a problem while testing with this feature with visual studio. Instead you can attach process aspnet_wp.exe and invoke the page from your browser, the way I did.
This mechanism only works when IIS�s authentication is turned off and anonymous access is enabled. I got scared to see this not working while testing before publishing this article. I had accidentally enabled integrated authentication to debug other parts of the code. :)
In another article I have written to use it with Struts Action Servlet for J2EE based application.
History
Rfc for Basic authentication http://www.faqs.org/rfcs/rfc2617.html
An article to implement the same with PHP http://www.cascade.org.uk/software/php/auth/
