views:

269

answers:

2

I have an ASP.NET MVC application, with some RESTful services that I'm trying to secure using custom basic authentication (they are authenticated against my own database). I have implemented this by writing an HTTPModule.

I have one method attached to the HttpApplication.AuthenticateRequest event, which calls this method in the case of authentication failure:

    private static void RejectWith401(HttpApplication app)
    {
        app.Response.StatusCode = 401;
        app.Response.StatusDescription = "Access Denied";
        app.CompleteRequest();
    }

This method is attached to the HttpApplication.EndRequest event:

    public void OnEndRequest(object source, EventArgs eventArgs)
    {
        var app = (HttpApplication) source;
        if (app.Response.StatusCode == 401)
        {
            string val = String.Format("Basic Realm=\"{0}\"", "MyCustomBasicAuthentication");
            app.Response.AppendHeader("WWW-Authenticate", val);
        }
    }

This code adds the "WWW-Authenticate" header which tells the browser to throw up the login dialog. This works perfectly when I debug locally using Visual Studio's web server. But it fails when I run it in IIS7.

For IIS7 I have the built-in authentication modules all turned off, except anonymous. It still returns an HTTP 401 response, but it appears to be removing the WWW-Authenticate header.

Any ideas?

A: 

I figured it out. The problem was that I named this module, "BasicAuthenticationModule" which conflicted with another module IIS had built in. Once I renamed the module things worked just fine!

manu08
+1  A: 

Even though you have it working, this is something else to consider:

http://wcfrestcontrib.codeplex.com/wikipage?title=Web%20Authentication%20Overview&referringTitle=Home

Raj Kaimal