Greg Reinacker’s Weblog

Musings on just about everything.

«
»

Web Services Security – HTTP Basic Authentication without Active Directory

June 26th, 2002 by gregr

.NET HTTP Module – sample code

In my last mini-article on web services security, I talked a bit about using HTTP authentication mechanisms for web services.  I pointed out that it is not necessary to use Active Directory for this, and mentioned that the required code was not all that difficult.  I got a number of e-mails from people asking for examples; so in response, here is a fully working sample in 100% managed code demonstrating the use of HTTP Basic authentication, using a separate credential store (in this case, a XML file, although this would be easy to change to a database or LDAP store).


Note – an ISAPI filter is an equally effective way to implement this; however, many people have hosting arrangements set up such that they cannot install filters.  The code here will work in even a very restrictive shared hosting environment.

The implementation was designed with web services in mind, but it will work equally well with any .NET web application.  Also, the user credentials are stored in a XML file (users.xml by default).  In a real application, you will probably want to change this to access a database, or wherever else you store user information.

A link to download the code is at the end of this article.  Rather than walk through all of the code (it’s pretty self-explanatory, download it and take a look), I will walk through here how to set it up and get it running.

To set up:

1. Build BasicAuthMod.dll, and copy it to your web application’s bin directory on your server.

2. Make the following changes to your web.config file (in the <system.web> section):

  • Change authentication line to: <authentication mode=”None” />.  We need to disable the built-in ASP.NET authentication.
  • Add an authorization section if you wish, such as

       <authorization>
    <deny users=”?” />
    </authorization>

    If you use BasicAuthMod to authenticate, you can still leverage the built-in ASP.NET authorization capabilities.

  • Add the following lines to wire the BasicAuthMod.dll into the ASP.NET pipeline.

       <httpModules>
    <add name=”BasicAuthenticationModule”
    type=”Rassoc.Samples.BasicAuthenticationModule,BasicAuthMod” />
    </httpModules>

3. Make the following changes to your web.config file (in the <configuration> section), and edit appropriately:

<appSettings>
<add key=”Rassoc.Samples.BasicAuthenticationModule_Realm”
value=”RassocBasicSample” />
<add key=”Rassoc.Samples.BasicAuthenticationModule_UserFileVpath”
value=”~/users.xml” />
</appSettings>

4. Copy the sample users.xml file into your virtual directory.

The last thing you need to do is make sure all IIS authentication mechanisms (Basic, Integrated, and Digest) are turned off, and only anonymous is enabled.  You can do this within the IIS Manager, or typically hosting providers will provide a way to make sure that Basic is turned off for your hosted sites/virtual directories.

That’s all there is to it; just copy the code, and make some web.config changes.  If you have any questions, please feel free to contact me at gregr@rassoc.com.

Greg Reinacker

BasicAuthMod code

Sample web service

[related: Digest authentication sample]

This entry was posted on Wednesday, June 26th, 2002 at 8:00 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

16 responses about “Web Services Security – HTTP Basic Authentication without Active Directory”

  1. Custom data source for Google Earth | Philosophical Geek said:
    May 20th, 2008 at 6:21 am

    [...] How to implement a custom authentication provider for IIS in .Net. Very useful if you need to authenticate your KML-generating web page and you don’t want to use Active Directory. No tag for this post.     [...]

  2. .netdeveloper said:
    May 20th, 2008 at 10:10 am

    This work fine within Visual Studio but does not work in IIS. When we host this on IIS .. IIS does not calling BasicAuthenticationModule (on security tab checked Basic BasicAuthentication only all other options are uncheck )

  3. ConcernedBystander said:
    May 23rd, 2008 at 11:05 am

    @.netdeveloper:

    I think you’ve misread the notes.
    >>The last thing you need to do is make sure all >>IIS authentication mechanisms (Basic, >>Integrated, and Digest) are turned off, and only >>anonymous is enabled.

    ie.
    all auth options off, save for anonymous, in IIS.

    It strikes me that having basic authentication enabled in IIS would cause the behaviour you noted (your auth module never being called)

    I could be wrong… =)

  4. Beginnerdeveloper said:
    September 3rd, 2008 at 8:11 pm

    That appears to have secured my web service, but how do I pass the username and password when consuming the webservice say from a VB windows application.

  5. Learner said:
    October 1st, 2008 at 1:07 pm

    Hi,

    The sample code provided compiles and all but it does not secure my webservice.. Please advice how do I confirm that web-service is secured

  6. gregr said:
    October 2nd, 2008 at 9:24 am

    @Learner – make sure you follow _every_ step above, including the part after step 4 about IIS config. Then, try to hit your web service endpoint with a browser – you should find that it prompts you for credentials.

  7. Scott said:
    November 13th, 2008 at 1:43 pm

    I simply cannot get this to work in an ASP.net 2 webservice. It blows up completely inexplicably with w3wp.exe exceptions in the Application Log on Windows 2003 server. HTML pages work just fine, but any time I touch an ASPX or ASMX, the entire app pool crashes.

  8. Basic authentication utilizzando uno store diverso da windows - Alessandro Damiani Blog said:
    February 18th, 2009 at 9:48 am

    [...] Web Services Security – HTTP Basic Authentication without Active Directory [...]

  9. Kim said:
    March 4th, 2009 at 7:39 am

    Using this code and it works great, thanks. Just one question – how would I implement a logout function? I’ve tried FormsAuthentication.SignOut(), Session.Abandon() and Context.User = null, but neither seems to work. I’m stilled logged on as the original user.

  10. gregr said:
    March 4th, 2009 at 3:01 pm

    Kim – you pretty much can’t…using Basic auth, the browser will re-present the credentials on each request as necessary, and assuming those credentials are still valid, it will be transparent to the user.

  11. Anders said:
    April 23rd, 2009 at 6:12 am

    This works great on my dev machine with IIS5 but when running on the hosting server (IIS7) it does not work, access is denied all the time.

    Any ideas?

  12. mike said:
    July 24th, 2009 at 12:17 am

    Where is the link to download the dll

  13. gregr said:
    July 24th, 2009 at 4:56 am

    Mike, the source is available, which you can compile. I don’t have a DLL available for download.

  14. Gulin said:
    August 11th, 2009 at 1:44 am

    I did all the steps , added
    using System.Web in the BasicAuthenticationModule.cs Class however visual studio gives errors like IHttpModule, HttpApplication could not be found.. Could you tell me where did i make the mistake?

  15. Chinh said:
    August 24th, 2009 at 2:09 pm

    For anyone trying to get this to work with IIS7, you need to do this:

    - In web.config, change the name of the httpModule to “CustomBasicAuthenticationModule”. In IIS7, there’s already a built-in module named “BasicAuthenticationModule”.
    - Follow the instructions here http://bdotnet.in/blogs/navaneeth/archive/2008/07/06/2056.aspx

    Chinh

  16. Rama Krishna said:
    April 23rd, 2010 at 3:39 am

    I have hosted this.and webservices working fine with Basic Authentication Module.
    My problem is, i hosted web forms also in the same domain.
    this authentication working not only for web services but also for web pages also.
    i want this should work only foe webservices.is there a way.

Leave a Reply

«
»