I have an ASP.NET MVC application, with some RESTful services that I'm trying to secure using custom basic authentication (they are authenticated against my own database). I have implemented this by writing an HTTPModule.
I have one method attached to the HttpApplication.AuthenticateRequest event, which calls this method in the case of authentication failure:
private static void RejectWith401(HttpApplication app)
{
app.Response.StatusCode = 401;
app.Response.StatusDescription = "Access Denied";
app.CompleteRequest();
}
This method is attached to the HttpApplication.EndRequest event:
public void OnEndRequest(object source, EventArgs eventArgs)
{
var app = (HttpApplication) source;
if (app.Response.StatusCode == 401)
{
string val = String.Format("Basic Realm=\"{0}\"", "MyCustomBasicAuthentication");
app.Response.AppendHeader("WWW-Authenticate", val);
}
}
This code adds the "WWW-Authenticate" header which tells the browser to throw up the login dialog. This works perfectly when I debug locally using Visual Studio's web server. But it fails when I run it in IIS7.
For IIS7 I have the built-in authentication modules all turned off, except anonymous. It still returns an HTTP 401 response, but it appears to be removing the WWW-Authenticate header.
Any ideas?