stackoom
  简体   繁体   中英

How “WebRequest” object determine the “IAuthenticationModule” implementation to use?

 原文  2019-05-03 08:30:19       c#/ authentication/ authorization/ basic-authentication/ bearer-token

Question

I would like to use System.Net's AuthenticationManager class to define the basic or bearer authorization header of a WebRequest .

AuthenticationManager provides a Register method to add a new module (implementation of IAuthenticationModule ). This suggests that it is possible to register multiple modules and that there is a way to select one of these modules.

And I suppose that module selection must be done by giving the value that is defined in the "AuthenticationType" property of the module. I define it in a CredentialCache that I pass to my "WebRequest".

I tried to create and save 2 modules:

  • A module to redefine the basic authorization (to disable the pre-authentication) (I use the example of the Microsoft documentation: here )
  • A module for authorization bearer.

Then I save my 2 modules in AuthenticationManager with the following code: 

// I remove the previous basic module 
AuthenticationManager.Unregister("Basic");

// And i register my 2 modules
AuthenticationManager.Register(customBasicModule);
AuthenticationManager.Register(customBearerModule);

But it seems that this is always the first record module that is called.

My test code: 

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://example.com");

var cache = new CredentialCache();
cache.Add(new Uri("http://example.com"), "Basic", new NetworkCredential("user", "password"));

request.Method = "GET";    
request.Credentials = cache;

HttpWebResponse response = (HttpWebResponse)request.GetResponse();

I expect the "customBasicModule" to be called because I indicated "Basic" in the property "AuthenticationType" of this module and also in the "CredentialCache". But if I register the "customBearerModule" first, it will be called.

Modules : 

public class BasicAuthenticationModule : IAuthenticationModule
{
    private const string BASIC_SCHEME = "Basic";

    public bool CanPreAuthenticate => false;

    public string AuthenticationType => BASIC_SCHEME;

    public Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
    {
        // Some code to get Basic from ICredentials
    }

    public Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
    {
        return null;
    }
}

public class BearerAuthenticationModule : IAuthenticationModule
{
    private const string BEARER_SCHEME = "Bearer";

    public bool CanPreAuthenticate => false;

    public string AuthenticationType => BEARER_SCHEME;

    public Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
    {
        // Some code to get Bearer from ICredentials
    }

    public Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
    {
        return null;
    }
}

1 answers

solution1
 0 ACCPTED  2019-06-06 17:40:38

The AuthenticationManager will always call all IAuthenticationModule in the order they have been register until one return a non null Authorization instance.

The idea is that each IAuthenticationModule implementation is expected to validate the challenge parameter against what they are able to do and return null if they do not match.

So your implementations should looks to 

public class BasicAuthenticationModule : IAuthenticationModule
{
    private const string BASIC_SCHEME = "Basic";

    public bool CanPreAuthenticate => false;

    public string AuthenticationType => BASIC_SCHEME;

    public Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
    {
        if (!challenge.StartWith(BASIC_SCHEME)) return null;
        // Some code to get Basic from ICredentials
    }

    public Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
    {
        return null;
    }
}

public class BearerAuthenticationModule : IAuthenticationModule
{
    private const string BEARER_SCHEME = "Bearer";

    public bool CanPreAuthenticate => false;

    public string AuthenticationType => BEARER_SCHEME;

    public Authorization Authenticate(string challenge, WebRequest request, ICredentials credentials)
    {
        if (!challenge.StartWith(BEARER_SCHEME)) return null;
        // Some code to get Bearer from ICredentials
    }

    public Authorization PreAuthenticate(WebRequest request, ICredentials credentials)
    {
        return null;
    }
}

Also pay attention that the challenge is the content of the WWW-Authenticate header send by the server after a first unauthorized response (401) which is not related to the "basic" that you write in the CredentialCache

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to determine which implementation of an abstract class to use? How to implement a custom IAuthenticationModule for bearer tokens with RestSharp How to use WebRequest in c# Use the ActivatorUtilities to determine which implementation to inject at runtime How to determine that a partial method has no implementation How is a static method returning a object of its own abstract class - WebRequest C# - How to use webrequest to mimic a curl call How to POST an Object to Web API from .NET 3.5 WebClient or WebRequest How to write to Stream object returned from WebRequest.GetRequestStream() How to use WebRequest to POST some data and read response?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM