stackoom
  简体   繁体   中英

Supporting multiple authentication policies in ASP.NET 4 Web application

 原文  2011-02-14 20:12:46       c#/ asp.net/ iis/ authentication

Question

Consider an application that includes a set of ReST web services built using ASP.NET 4 and native C++ IIS modules.

We need to be able to support 2 authentication policies:

  • internal users can call our ReST endpoints directly from inside another client application(say implemented in Silverlight or Java), where they are already authenticated against an internal single sign on provider, supplying a security token as part of the HTTP call.

  • for test, we want to allow users to access the ReST endpoint using a browser, so we need to allow them to authenticate by entering user name/password(which we will check against the single sign on provide on the web server). For this we are considering using ASP.NET Forms or Digest.

(so in one case user is already authenticated - but we need to verify this for every call, in the other case we need to challenge them to provide the credentials)

The question is how to support these 2 scenarios.

I cannot find a solution which will work in both cases:

  • If I get a call from an application(non-browser) and the token is missing, I cannot redirect them to login.aspx as the application that's calling us doesn't know what to do with a bunch of HTML(login form). I need to return response code 401.

  • However, if I get a call from a web browser, which has not been authenticated, I cannot return 401 without offering the user the possibility of entering their credentials.

Has anyone faced this problem before ?

Thanks in advance.

PS The fact that some web services will be implemented in C++ complicates things, but if we go with forms authentication at least I can use integrated pipeline and use forms for the native module as well.

1 answers

solution1
 0  2011-02-17 23:04:02

We are going to implement multiple authentication schemes using the HTTP headers and each client type will respond to the challenge that it supports.

For example:

  • client requests a resource
  • server reponds with 401 and WWW-Authenticate: Basic, Custom Realm: secure area
  • browsers can respond with credentials according to basic access authentication(for example)
  • calls from within other applications that have already authenticated the users will provide token using the "Custom" authentication scheme.

We are also going to create a custom authentication HttpModule implement in .NET which will be used for the entire web site(including applications implemented in c+++).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET Core 6 : add multiple authentication schemes with multiple authorization policies along with dependency injection Azure AD Authentication in Asp.net web forms web application Handling authentication/authorization: ASP.NET Core Web Application => ASP.NET Core Web API => SQL Authentication and authorization issues in ASP.Net Web application Web Application and API AzureAD authentication flow ASP.NET Core Enabling Windows and Basic Authentication for ASP.NET Web API 2 Application Authentication in an ASP.NET web application using Azure AD Windows Authentication SSO in ASP.NET Remote Web Application Asp.net Web Application Role based authentication Having trouble with authentication in asp.net web application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM