|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Credientials to an HTTP POST request.password. I am trying the following: objRequest = DirectCast(System.Net.HttpWebRequest.Create(urlString), System.Net.HttpWebRequest) Dim credentials As New CredentialCache() credentials.Add(New Uri(urlString), "Basic", New NetworkCredential("user", "password")) 'Dim credentials As NetworkCredential = New NetworkCredential() objRequest.Credentials = credentials But using Fiddler I don't see any of the security authorization header information so I am wondering if the user name and password is getting passed. First does the above look correct? Thank you. Kevin Hello, Kevin!
[skipped] KB> But using Fiddler I don't see any of the security authorization header KB> information so I am wondering if the user name and password is getting KB> passed. First does the above look correct? What Http Response do you get, when you issue your request? I just get a web exception when I try to read the response.
Show quote "Vadym Stetsyak" wrote: > Hello, Kevin! > > [skipped] > > KB> But using Fiddler I don't see any of the security authorization header > KB> information so I am wondering if the user name and password is getting > KB> passed. First does the above look correct? > > What Http Response do you get, when you issue your request? > > -- > Regards, Vadym Stetsyak > www: http://vadmyst.blogspot Hello, Kevin!
Did you check WebException.Response property? The response is Nothing/null on the exception.
Show quote "Vadym Stetsyak" wrote: > Hello, Kevin! > > Did you check WebException.Response property? > > -- > Regards, Vadym Stetsyak > www: http://vadmyst.blogspot Thus wrote Kevin,
Show quote > I am trying to post an HTTP request to a site that requires a user Authorization headers are never being sent with the first request, only after > name and password. I am trying the following: > > objRequest = > DirectCast(System.Net.HttpWebRequest.Create(urlString), > System.Net.HttpWebRequest) > Dim credentials As New CredentialCache() > credentials.Add(New Uri(urlString), "Basic", New > NetworkCredential("user", "password")) > 'Dim credentials As NetworkCredential = New > NetworkCredential() > objRequest.Credentials = credentials > But using Fiddler I don't see any of the security authorization header > information so I am wondering if the user name and password is getting > passed. First does the above look correct? an initial challenge from the server. If you set HttpWebRequest.PreAuthenticate to true, all subsequent requests after the first will contain Authorization headers. If PreAuthenticate is set to false, there will be a challenge/response exchange for each request to a protected resource. Cheers, -- Joerg Jooss news-re***@joergjooss.de Thank you very much for your time this information helps alot.
If PreAuthenticate is false then when are the Authentication headers set? The challenge/response is against which resource? If it fails is the application notified. Thanks again. Kevin Show quote "Joerg Jooss" wrote: > Thus wrote Kevin, > > > I am trying to post an HTTP request to a site that requires a user > > name and password. I am trying the following: > > > > objRequest = > > DirectCast(System.Net.HttpWebRequest.Create(urlString), > > System.Net.HttpWebRequest) > > Dim credentials As New CredentialCache() > > credentials.Add(New Uri(urlString), "Basic", New > > NetworkCredential("user", "password")) > > 'Dim credentials As NetworkCredential = New > > NetworkCredential() > > objRequest.Credentials = credentials > > But using Fiddler I don't see any of the security authorization header > > information so I am wondering if the user name and password is getting > > passed. First does the above look correct? > > Authorization headers are never being sent with the first request, only after > an initial challenge from the server. If you set HttpWebRequest.PreAuthenticate > to true, all subsequent requests after the first will contain Authorization > headers. If PreAuthenticate is set to false, there will be a challenge/response > exchange for each request to a protected resource. > > Cheers, > -- > Joerg Jooss > news-re***@joergjooss.de > > > Thus wrote Kevin,
> Thank you very much for your time this information helps alot. After every HTTP 401 response. See http://msdn2.microsoft.com/en-us/library/system.net.httpwebrequest.preauthenticate.aspx.> > If PreAuthenticate is false then when are the Authentication headers > set? > The challenge/response is against which resource? What do you mean by "against"? If you access a protected resource on the server side (like a web page) without credentials (as per HTTP Authorize header), the server will respond with a 401 response, in which case the client resubmits the request including the Authorize header. PreAuthenticate prevents this double roundtrip except the first one that accesses a protected resource. > If it fails is Sure, you'll get a WebException with Status set to ProtocolError and its > the application notified. Response containing the HTTP error response. Cheers, -- Joerg Jooss news-re***@joergjooss.de Again thank you for your patience.
The documentation that you directed me to only gives an example of GET. Is a POST handled differently? When I create a NetworkCredential I give a user name and password (no domain). I would like to manually authenticate this user name and password. I don't want the OS, Active Directory, etc. to authicate these credentials. That is what I mean by "against". I need to control what is authenticating these credentials. For this simple case there is no access to a protected resource. The incoming data is tied to the POST and if the credentials match (are authenticated) then the response will be a response to the POST. Can I expect to get a PreAuthenticate event in the HttpApplication under these conditions? Thanks again. Show quote "Joerg Jooss" wrote: > Thus wrote Kevin, > > > Thank you very much for your time this information helps alot. > > > > If PreAuthenticate is false then when are the Authentication headers > > set? > > After every HTTP 401 response. See http://msdn2.microsoft.com/en-us/library/system.net.httpwebrequest.preauthenticate.aspx. > > > The challenge/response is against which resource? > > What do you mean by "against"? > > If you access a protected resource on the server side (like a web page) without > credentials (as per HTTP Authorize header), the server will respond with > a 401 response, in which case the client resubmits the request including > the Authorize header. PreAuthenticate prevents this double roundtrip except > the first one that accesses a protected resource. > > > If it fails is > > the application notified. > > Sure, you'll get a WebException with Status set to ProtocolError and its > Response containing the HTTP error response. > > Cheers, > > -- > Joerg Jooss > news-re***@joergjooss.de > > > Thus wrote Kevin,
> Again thank you for your patience. No. > > The documentation that you directed me to only gives an example of > GET. Is a POST handled differently? > When I create a NetworkCredential I give a user name and password (no But that's a different question, isn't it? Authentication happens on the > domain). I would like to manually authenticate this user name and > password. I don't want the OS, Active Directory, etc. to authicate > these credentials. That is what I mean by "against". I need to control > what is authenticating these credentials. server side, but HttpWebRequest is a client side class. What you're really asking is how to tap into IIS's Basic Authentication implementation to provide your own authentication realm. I guess that requires your own Basic Authentication HttpModule and bypassing IIS Basic Authentication completely. > For this simple case there is no access to a protected resource. Whenever there is a need for authentication, there is a protected resource ;-) > The incoming data is tied to the POST and if the credentials match (are There's no PreAuthenticate event in HttpApplication, only AuthenticateRequest > authenticated) then the response will be a response to the POST. Can I > expect to get a PreAuthenticate event in the HttpApplication under > these conditions? and PostAuthenticateRequest. When you're running IIS with Basic Authentication enabled, the user's identity (i.e. HttpContext.User.Identity) will be set accordingly (at latest) when PostAuthenticateRequest fires. Cheers, -- Joerg Jooss news-re***@joergjooss.de Thank you again. I am starting to understand.
Adding the credentials to the HttpWebRequest does not seem to alter the flow on the server side. The credentails are ignored and the request succeeds. I guess my real question is, "Setting the credentials on the client request doesn't seem to trigger any events on the server side. So what do I need to do on the server side to require these credentials? How do I make a need for authentication? And then once this need is created what events will be generated on the server that will need to be responded to in order for the request to succeed?" Thanks again. Kevin Show quote "Joerg Jooss" wrote: > Thus wrote Kevin, > > > Again thank you for your patience. > > > > The documentation that you directed me to only gives an example of > > GET. Is a POST handled differently? > > No. > > > When I create a NetworkCredential I give a user name and password (no > > domain). I would like to manually authenticate this user name and > > password. I don't want the OS, Active Directory, etc. to authicate > > these credentials. That is what I mean by "against". I need to control > > what is authenticating these credentials. > > But that's a different question, isn't it? Authentication happens on the > server side, but HttpWebRequest is a client side class. What you're really > asking is how to tap into IIS's Basic Authentication implementation to provide > your own authentication realm. I guess that requires your own Basic Authentication > HttpModule and bypassing IIS Basic Authentication completely. > > > For this simple case there is no access to a protected resource. > > Whenever there is a need for authentication, there is a protected resource > ;-) > > > The incoming data is tied to the POST and if the credentials match (are > > authenticated) then the response will be a response to the POST. Can I > > expect to get a PreAuthenticate event in the HttpApplication under > > these conditions? > > There's no PreAuthenticate event in HttpApplication, only AuthenticateRequest > and PostAuthenticateRequest. When you're running IIS with Basic Authentication > enabled, the user's identity (i.e. HttpContext.User.Identity) will be set > accordingly (at latest) when PostAuthenticateRequest fires. > > Cheers, > -- > Joerg Jooss > news-re***@joergjooss.de > > > Thus wrote Kevin,
> Thank you again. I am starting to understand. You have to configure IIS to apply Basic Authentication. But as I said, it's > > Adding the credentials to the HttpWebRequest does not seem to alter > the flow on the server side. The credentails are ignored and the > request succeeds. I guess my real question is, "Setting the > credentials on the client request doesn't seem to trigger any events > on the server side. So what do I need to do on the server side to > require these credentials? > How do I make a need for authentication? handled completely inside IIS and is based on Windows Domains as realm. > And then once this need is created what events will be generated on In answered that in my previous post. There are AuthenticateRequest and PostAuthenticateRequest.> the server that will need to be responded to in order for the request > to succeed?" Cheers, -- Joerg Jooss news-re***@joergjooss.de  |
|||||||||||||||||||||||
Other interesting topics