views:

167

answers:

3

Hi folks,

i'm trying to goto the following url :-

http://user1:pass1@localhost:1234/api/users?format=xml

nothing to complex. Notice how i've got the username/password in the url? this, i believe, is for basic authentication.

When I do that, the Request Headers are MISSING the 'Authorize' header. Er... that's not right :(

I have anonymous authentication only setup on the site. I don't want to have anon off and basic turned on .. because not all of the site requires basic.. only a few action methods.

So .. why is this not working? Is this something to do with the fact my code is not sending a 401 challenge or some crap?

For What It's Worth, my site is ASP.NET MVC1 running on IIS7 (and the same thing happens when i run it on cassini).

Update:

If this is an illegal way of calling a resource using basic auth (ala security flaw) .. then is this possible to do, for an ASP.NET MVC website .. per action method (and not the entire site, per say)?

A: 

If you want to use basic authentication, the first request to the resource needs to return a HTTP 401 error code, and set a WWW-Authenticate header. This will instruct the browser to actually send those credentials.

You mentioned you're using ASP.NET MVC. You might be able to do this via the web.config, but I'm not sure on the exact mechanics.

Yuliy
A: 

My company makes a product called the Neokernel Web Server (http://www.neokernel.com), it is an ASP.NET web server with support for basic authentication among other features.

You specify protected resources in an apache-style config file so you could put your "protected" actions in a folder requiring authentication and put everything else in the root / unprotected. Look at the "http.authentication" file installed in the Neokernel root directory for an example, or at the authentication samples in the demos.zip file.

Damien