How to get password server side with basic authentication

[Tommaso Caldarola]

Book: "Building Secure ASP.NET Applications", at page 276 says:

I'm speaking about .NET Remoting Security chapter.

"With Basic Authentication the username and password are available to the server
in clera text."

Now, I get username in this way:

System.Web.HttpContext.Current.User.Identity.Name

and how to get the password?

 

[Nicholas Paldino [.NET/C# MVP]]

Tommaso,

At that point, I am kind of wondering, why do you want it? The user is
authenticated at that point, and you can be assured that they have logged in
correctly.

 

[Tommaso Caldarola]

Tommaso,

At that point, I am kind of wondering, why do you want it? The user is
authenticated at that point, and you can be assured that they have logged in
correctly.

If I put in client code

IDictionary props = ChannelServices.GetChannelSinkProperties(proxy);
props["username"] = "dummyremotinguser";
props["password"] = "12345";

and then I call proxy.Method()

on the server side in host on IIS (where do I set basic authentication) I got:

IPrincipal principal = System.Web.HttpContext.Current.User;

here I want to perform custom authentication on LDAP or Database, the user IS
NOT AUTHENTICATED at this point, how do it? I need to know pasword too.

 

[Nicholas Paldino [.NET/C# MVP]]

Tommaso,

Actually, the user is authenticated, from the perspective of IIS. From
the perspective of LDAP or Database, no, it is not.

There are two solutions here. The first is to not always use different
credentials when accessing the database or an LDAP. Rather, you should
create an account under which your service runs, and then grant access to
that service account. This actually improves scalability when working with
databases, as the connections can be pooled. However, if you are putting
different client credentials together for each connection to the database,
you can't pool them.

Of course, you would have to manage access to the database yourself, but
it's a better alternative, IMO.

The second option would be to use Windows authentication. Then you need
to set IIS up to impersonate the user that is connected. Then, you can use
integrated security to attach to the database and to LDAP.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Tommaso,

At that point, I am kind of wondering, why do you want it? The user
is authenticated at that point, and you can be assured that they have
logged in correctly.

If I put in client code

IDictionary props = ChannelServices.GetChannelSinkProperties(proxy);
props["username"] = "dummyremotinguser";
props["password"] = "12345";

and then I call proxy.Method()

on the server side in host on IIS (where do I set basic authentication) I
got:

IPrincipal principal = System.Web.HttpContext.Current.User;

here I want to perform custom authentication on LDAP or Database, the user
IS NOT AUTHENTICATED at this point, how do it? I need to know pasword too.

 

[Willy Denoyette [MVP]]

| Nicholas Paldino [.NET/C# MVP] wrote:
|
| > Tommaso,
| >
| > At that point, I am kind of wondering, why do you want it? The user
is
| > authenticated at that point, and you can be assured that they have
logged in
| > correctly.
| >
| >
|
| If I put in client code
|
| IDictionary props = ChannelServices.GetChannelSinkProperties(proxy);
| props["username"] = "dummyremotinguser";
| props["password"] = "12345";
|
| and then I call proxy.Method()
|
| on the server side in host on IIS (where do I set basic authentication) I
got:
|
| IPrincipal principal = System.Web.HttpContext.Current.User;
|
| here I want to perform custom authentication on LDAP or Database, the user
IS
| NOT AUTHENTICATED at this point, how do it? I need to know pasword too.
|

The client IS authenticated with IIS (and the SAM).

Anyway, what you are looking for is called - Kerberos Protocol Transition ,
a feature available in W2K3.

Start reading these for more detailed info:

http://msdn2.microsoft.com/fr-fr/library/ms131068.aspx
http://msdn.microsoft.com/library/d...-us/dnpag2/html/wss_ch4_prottrantechsuppl.asp


Willy.