Re: Custom authentication

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 10/05/05


Date: Wed, 05 Oct 2005 07:39:49 -0700

Hello Joe,

i guess with UTF8 (as this is compatible to ASCII but can use the full 2
bytes) you should be on the safe side - but a good pointer.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Ah, nice. Thanks Dominick! That should help the original poster get
> started.
>
> One thing on this that I've always wondered about is whether it is
> proper with Basic authentication to use ASCII encoding, UTF8 encoding,
> or to try to determine the request encoding as use that.
>
> The issue that I see is that Windows supports full unicode passwords.
> Although few people use the full character set, this could easily be
> an edge failure case. I see it all the time with third party apps in
> our organization that assume ASCII or other character limitations in
> Windows passwords (no spaces is commonly assumed), and they break for
> a small percentage of our users as a result.
>
> I tried to figure this out from the Basic authentication spec, but it
> didn't seem to specify. It essentially just says "Base64 encoded
> string", without specifying how that string was converted to binary.
>
> Anyway, just wondering if you knew or had thought about it.
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:42565460fc1558c797aa3baf8c5a@news.microsoft.com...
>
>> Hello Joe,
>>
>> i have some code for a handler - should be easy to rewrite as a
>> module (or wait some more days and i have finished that part in my
>> book :))
>>
>>> class MyHandler : IHttpHandler
>>> {
>>> public void ProcessRequest(HttpContext c)
>>> {
>>> bool authenticated = false;
>>> string credentials = c.Request.Headers["Authorization"];
>>> if (credentials != null && credentials.StartsWith("Basic"))
>>> {
>>> string encodedUserPass = credentials.Substring(6).Trim();
>>> string userPass = Encoding.ASCII.GetString(
>>> Convert.FromBase64String(encodedUserPass));
>>> if (userPass == "dbaier@develop.com:secret")
>>> {
>>> authenticated = true;
>>> }
>>> }
>>> if (!authenticated)
>>> {
>>> c.Response.StatusCode = 401;
>>> c.Response.AddHeader(
>>> "WWW-Authenticate",
>>> "Basic realm=\"Unity\"");
>>> c.Response.End();
>>> }
>>> c.Response.ContentType = "text/xml";
>>> XmlTextWriter w = new XmlTextWriter(c.Response.Output);
>>> w.WriteElementString("rss", "Pretend this is RSS!");
>>> }
>>> public bool IsReusable
>>> {
>>> get { return false; }
>>> }
>>> }
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I've never tried this, but you should be able to write a basic
>>> authentication httpmodule that responds with the correct
>>> header/status challenges and parses out the authorization header to
>>> get the username and password.
>>>
>>> I think the tricky parts would be handling realms correctly and
>>> placing a maximum number of login attempts on the client (which
>>> requires some sort of state).
>>>
>>> Joe K.
>>>
>>> "Lars" <noone@noone.com> wrote in message
>>> news:11k2vbdm9thdbb2@corp.supernews.com...
>>>> I need to implement a custom authentication process that closely
>>>> mimics IIS Basic Authentication. My first question is -- can Basic
>>>> Authentication be intercepted so that I can provide my own user
>>>> name/password authentication? If not, what's the best way to
>>>> implement something like this? I can't use Forms Authentication
>>>> because the browser (or a client app) needs to trigger one of the
>>>> native IIS user authentication methods (basic, windows, etc.).
>>>>
>>>> I've been digging around for a while and don't see an obvious
>>>> answer.
>>>>
>>>> Thanks,
>>>> Chris