How to handle ASP.NET Authentication

Question

Hi, I have the following problem: I want to protect the access to some files hosted under IIS using an asp.net page. The page will be called from another application using:

var request = WebRequest.Create("www.smth.com/protectData.aspx") 
              as HttpWebRequest;
request.Credentials = new NetworkCredentials("john doe", "john"); 
request.PreAuthenticate = true; 
var response = request.GetResponse();

How to read the credentials sent on the called page (protectData.aspx)?

I have code in place in order to validate the credentials... I've tried implementing custom membership, but HttpContext.Current.User is null. The aspx page is hosted in a web application which hosts a WCF service authenticated with custom policy:

system.serviceModel>
serviceAuthorization principalPermissionMode="Custom"
authorizationPolicies
add policyType="CustomPolicy.CustomPolicy, CustomPolicy" />
authorizationPolicies
system.serviceModel

For aspx pages I have no security in place for now, basically I want just to get the credentials from request and validate them using existing code.

Any help is appreciated, Adrian

Answer 1

You basically have two options. You can use HTTP Transport authentication, or Forms Based Authentication.

For Transport authentication, you will have to setup IIS to protect the resource that the client is trying to access. This resource can be your file, or the ASPX page. The ASPX page will then be able to read the HttpContext.Current.User variable, and be able to decide if that user can access the resource.

For Forms Based Auth, IIS does not need to authenticate the request. Instead, you do a Forms post to a webform that can then look at the username/password in the request and decide whether to allow access or not.

A variation of Forms Based Auth (FBA) is to post the username/password in the POST body, that the ASPX page can then read, decode, and decide whether to allow access.