HTTP Post Authentication

[Guest]

Looking for some general design recommendations on an authentication scheme
for B2B transactions inbound via an HTTP Post Listener ASPX page that reads
the binary stream from the request body. I would like to add an
authentication process that validates the incoming transaction prior to
processing the post content. Although adding username and password to the
post content is feasable, it is one of the last solutions since it will
involve many customer's to reformat their messages.

Some design ideas that I have in mind are adding a custom request header to
store username and pswd.

Recommendations please.

 

[Brock Allen]

You should look into Basic Authentication then.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Brad]

Here is a link to very good resource for web authentication topics...not
your exact one I think, but it might help :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpmsdn.asp

 

[Guest]

Can you elaborate more on the basic authentication design?

I assume it would involve setting the Request Header's authorization tag and
then placing the username and password seperated by a colon, and then reading
the authorization tag in the reponse and handling it appropriately.

Only issue is that I cannot set the Request Header authorization since it is
read only.

Any ideas's?

 

[Brock Allen]

I assume it would involve setting the Request Header's authorization

tag and then placing the username and password seperated by a colon,
and then reading the authorization tag in the reponse and handling it
appropriately.

Yep, that's the gist. Here's the RFC:

http://www.faqs.org/rfcs/rfc2617.html

Only issue is that I cannot set the Request Header authorization since
it is read only.

I don't follow.. what do you mean? Are you building the client or the server
or both?

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Guest]

Brock,

Have you tried this? The Request.Authorization is read only?

I like this approach, just unsure if it can be done?

 

[Brock Allen]

The Request.Authorization is read only?

So this is in the server. Of course it's read only as it's the information
posted to you.

So let's start over. You need to authenticate in your server. How are you
storing the credentials? Are they windows accounts, or is it stored in your
own custom database? If it's a windows account, then letting IIS manage the
aspects of Basic Authentication is the way to go. It won't let the request
in unless they've passed the proper credentials. If it's your own database,
then you'll have to read the headers (the ones that are read only) and do
the check yourself.

I feel like I'm missing something about your question... So sorry if this
doesn't address exactly whatyou're looking for.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Guest]

Credentials are stored in the database, for example licenseKey=12345.

The customer is making a request to webpage1.aspx and performing an http
post with their message in the the request body. My design is to tell the
customer to send their licenseKey 12345 as a custom header in the request,
then when the webpage is processing the request it will retrieve this key
along with the request body (data).

The only thing that is unknown is how do I tell the customer to send in the
licenseKey as a request header and how does the application then read it in
during the processing? Can custom request headers be made or can I fill this
data into the current Http.Authorization header?

From my findings, a cannot create a custom request header, or change an
pre-existing one. That said, this design may not be the correct approach.

Thanks for all your feedback, I appreciate it.

 

[Brock Allen]

The only thing that is unknown is how do I tell the customer to send

in the licenseKey as a request header and how does the application
then read it in during the processing? Can custom request headers be
made or can I fill this data into the current Http.Authorization
header?

SO whatever technology they're using to create the HTTP request, they'll
have some API to add headers. DO you know who the client is? What technology
are they using. .NET? Or something else? Like I said, in any case, they'll
have some API to add a header.

In the server (your code) you simply access Request.Headers["YourHeaderID"]
which returns a string. You don't need to modify this in the server, just
read it to do your authentication.

I think your design sounds fine as long as the clients are fine with putting
the custom header in there. If they're writing code to access your server,
then this should not be a problem. The only additional thing I'd like to
see in your design is to always use SSL for your server. HTTP is sent across
the network in plaintext, so I can sniff the network packets and steal the
header.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Guest]

For simplicity assume the customer is using asp.net. I would like to write a
test client to add the request.authorization header, but unable to find a way
to set this header. I am not sure that this is possible. Do you have any
samples?

SSL is the current solution. Thanks again!

The only thing that is unknown is how do I tell the customer to send
in the licenseKey as a request header and how does the application
then read it in during the processing? Can custom request headers be
made or can I fill this data into the current Http.Authorization
header?

SO whatever technology they're using to create the HTTP request, they'll
have some API to add headers. DO you know who the client is? What technology
are they using. .NET? Or something else? Like I said, in any case, they'll
have some API to add a header.

In the server (your code) you simply access Request.Headers["YourHeaderID"]
which returns a string. You don't need to modify this in the server, just
read it to do your authentication.

I think your design sounds fine as long as the clients are fine with putting
the custom header in there. If they're writing code to access your server,
then this should not be a problem. The only additional thing I'd like to
see in your design is to always use SSL for your server. HTTP is sent across
the network in plaintext, so I can sniff the network packets and steal the
header.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Brock Allen]

So to write a test client, look into the System.Web.HttpWebRequest and System.Web.HttpWebResponse
classes.

-Brock
DevelopMentor
http://staff.develop.com/ballen

For simplicity assume the customer is using asp.net. I would like to
write a test client to add the request.authorization header, but
unable to find a way to set this header. I am not sure that this is
possible. Do you have any samples?

SSL is the current solution. Thanks again!

The only thing that is unknown is how do I tell the customer to send
in the licenseKey as a request header and how does the application
then read it in during the processing? Can custom request headers
be made or can I fill this data into the current Http.Authorization
header?

SO whatever technology they're using to create the HTTP request,
they'll have some API to add headers. DO you know who the client is?
What technology are they using. .NET? Or something else? Like I said,
in any case, they'll have some API to add a header.

In the server (your code) you simply access
Request.Headers["YourHeaderID"] which returns a string. You don't
need to modify this in the server, just read it to do your
authentication.

I think your design sounds fine as long as the clients are fine with
putting the custom header in there. If they're writing code to access
your server, then this should not be a problem. The only additional
thing I'd like to see in your design is to always use SSL for your
server. HTTP is sent across the network in plaintext, so I can sniff
the network packets and steal the header.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Chris Fink]

Brock,

After several attempts I have determined that a custom HTTP header cannot be
added and retrieved in .Net.

Following is a supporting article that reiterates my discovery.
http://www.asp.net/Default.aspx?tabindex=9&tabid=48

If you know otherwise, or have done something similar, please let me know
since this hurdle puts an end to my design.

Thanks again for your feedback

So to write a test client, look into the System.Web.HttpWebRequest and System.Web.HttpWebResponse

classes.

-Brock
DevelopMentor
http://staff.develop.com/ballen



For simplicity assume the customer is using asp.net. I would like to
write a test client to add the request.authorization header, but
unable to find a way to set this header. I am not sure that this is
possible. Do you have any samples?

SSL is the current solution. Thanks again!

The only thing that is unknown is how do I tell the customer to send
in the licenseKey as a request header and how does the application
then read it in during the processing? Can custom request headers
be made or can I fill this data into the current Http.Authorization
header?

SO whatever technology they're using to create the HTTP request,
they'll have some API to add headers. DO you know who the client is?
What technology are they using. .NET? Or something else? Like I said,
in any case, they'll have some API to add a header.

In the server (your code) you simply access
Request.Headers["YourHeaderID"] which returns a string. You don't
need to modify this in the server, just read it to do your
authentication.

I think your design sounds fine as long as the clients are fine with
putting the custom header in there. If they're writing code to access
your server, then this should not be a problem. The only additional
thing I'd like to see in your design is to always use SSL for your
server. HTTP is sent across the network in plaintext, so I can sniff
the network packets and steal the header.

-Brock
DevelopMentor
http://staff.develop.com/ballen

 

[Wessel Troost]

After several attempts I have determined that a custom HTTP header

cannot be added and retrieved in .Net.

You can add a header, and send it to the browser.
You can retrieve any header send by the browser to the server.

But typically, the browser does not add headers it receives to requests it
sends out. That's what the article says.

Greetings,
Wessel

 

[Guest]

Wessel,

Have you tried to add a custom header in the request (prior to page posting)
and then retrieve it in the response (after page post)? I cannot be done,
using IIS and .NET, at least.

 

[Wessel Troost]

Have you tried to add a custom header in the request (prior to page

posting) and then retrieve it in the response (after page post)? I
cannot be done, using IIS and .NET, at least.

Sure I have. Put this in an .asmx page:

private void Page_Load(object sender, System.EventArgs e)
{
Response.AddHeader( "CustomHeaderFromServer",
Request.Headers["CustomHeaderFromClient"] );
}

From a client, call the web page like this:

// Set up the request to the server
string sRequest = "GET / HTTP/1.0";
HttpWebRequest myRequest = (HttpWebRequest)
HttpWebRequest.Create( "http://yoururl/" );
myRequest.Headers.Add( "CustomHeaderFromClient",
"CustomDataFromClient" );
myRequest.Method = "POST";

// Post the request to the server
StreamWriter sw = new StreamWriter(
myRequest.GetRequestStream() );
sw.Write( sRequest );
sw.Close();

// Read response from the server
HttpWebResponse myResponse = (HttpWebResponse)
myRequest.GetResponse();
string sData = myResponse.Headers["CustomHeaderFromServer"];

After this, sData will contain the header information from the request:
"CustomDataFromClient"

Of course, the average web server doesn't mirror your headers back to
you. You have to control the server to do that.

Greetings,
Wessel