ASP (b): Security authentication using HTTP Basic authentication

We immediately discovered the need for security verification after touching the Web API, so this article will discuss the simplest way to secure authentication: using HTTP Basic authentication.

HTTP Basic Authentication principle

In the process of communicating with the HTTP protocol, the HTTP protocol defines the Basic authentication process to allow the HTTP server to authenticate the user to the Web browser, and when a client makes a data request to the HTTP server, if the client is not authenticated, The HTTP server verifies the client's user name and password through the Basic authentication process to determine whether the user is legitimate.

The basic way to achieve this is:

After the client enters the user name and password, the user name and password are BASE64 encrypted, encrypted ciphertext will be appended to the request information, such as when the user name is Parry, the password is 123456, the client will use the user name and password ":" Merge, and the merged string with BASE64 encryption, And, each time the data is requested, the ciphertext is appended to the request header.

The HTTP server receives the client-attached user information (BASE64 encrypted username and password) after each receipt of the request packet, unlocks the request packet, authenticates the user name and password, and, if the user name and password are correct, returns the data required by the client, depending on the client request; Return an error code or re-ask the client to provide a user name and password.

Web API uses HTTP Basic authentication for secure authentication

We're still testing based on an example from the previous article.

First we implement an Http Basic authentication class based on the System.Web.Http.AuthorizeAttribute class, and implement two methods: Onauthorization and Handleunauthorizedrequest.

Add a class Httpbasicauthorizeattribute, inherit from System.Web.Http.AuthorizeAttribute, first to implement Onauthorization.

1PublicOverridevoid Onauthorization (System.Web.Http.Controllers.HttpActionContext actioncontext)2 {3if (actionContext.Request.Headers.Authorization! =Null4 {5String userInfo = Encoding.Default.GetString (convert.frombase64string ( ActionContext.Request.Headers.Authorization.Parameter));6//User authentication Logic 7 if (String. Equals (UserInfo,String. Format ("{0}:{1}","Parry","123456")))8 {9 isauthorized (Actioncontext);10}one else, handleunauthorizedrequest (actioncontext); + } + else (actioncontext) (handleunauthorizedrequest); 19}

ActionContext.Request.Headers.Authorization.Parameter is the client BASE64 after the string, we have to anti-coding, in order to test the convenience of only simple user authentication, Here you can introduce your own system's validation logic.

At the same time, to implement handleunauthorizedrequest to implement validation failure, continue to prompt for verification, the code is as follows:

1ProtectedOverridevoid handleunauthorizedrequest (System.Web.Http.Controllers.HttpActionContext Actioncontext) 2 {3     var challengemessage = new System.Net.Http.HttpResponseMessage ( System.Net.HttpStatusCode.Unauthorized); 4     ChallengeMessage.Headers.Add ( "www-authenticate", Span style= "color: #800000;" > "basic"); 5     throw new System.Web.Http.HttpResponseException (challengemessage); 6}

Once this class is complete, simply add this attribute to the class of the controller that needs to enable HTTP Basic authentication, as follows.

We will now test the validation process.

When we request this API again, we will be prompted to enter a username and password.

At this time using fiddler to grab the packet to view the HTTP header, you will find the head of Www-authenticate.

After providing the correct user name and password, we find that HTTP has added parry:123456 BASE64 encoded ciphertext to the request header.

The data was successfully requested after submission, and if the authentication information entered is incorrect, an unauthenticated status of HTTP status code 401 is returned to continue validation.

The data that is requested after the correct user information is entered.

Advantages and disadvantages of HTTP Basic authentication

The advantage is that logic is simple and straightforward, and setup is simple.

The disadvantage is obvious, even after the BASE64 is visible clear text, it is easy to be cracked, illegal use, using HTTPS is a solution.

What's more, HTTP is stateless, and the same client needs to be verified every time.

In this case, our next article discusses the second method of authentication: Digest Authentication (Digest authentication).

If you think the article is OK, recommend it, haha.

SOURCE download

Source code Download

ASP (b): Security authentication using HTTP Basic authentication