HTTP Basic Authentication for restful Service

In the face of user authentication issues. The most common implementation method is as follows: the user submits a form containing the user name and password, and the server script verifies the validity of the form. If the verification is passed, it is identified in the session. As a result, in the same session cycle, users maintain their own authentication status. The biggest problem with Session-based authentication is that it does not conform to the REST style. More directly, it destroys the stateless features of HTTP and thus causes obstacles to scalability.
The two standard authentication methods (baisc and digest) specified in rfc2617 are basically different from the session methods because they comply with the HTTP stateless features, therefore, it is more recommended.

What is HTTP Basic Authentication? For more information, see http://en.wikipedia.org/wiki/basic_authentication_scheme.

When you access a URL that requires HTTP Basic Authentication, if you do not provide the user name and password, the server will return 401. If you open the URL directly in the browser, the browser will prompt you to enter the user name and password (not in Google ).

There are two methods to add the HTTP basic authentication information to the request when sending the request:

• First, add authorization to the Request Header:
  Authorization: "base64 encrypted string of basic user name and password"
• The second is to add the user name and password to the URL:

The WCF Data Services Team recently published a series of questions about the odata service and the available verification mechanism on the client.Article. For more information, see http://www.infoq.com/cn/news/2010/07/odata-authentication-series, which also describes HTTP Basic Authentication:

Custom Basic Authentication (custom basic verification)-scenario involving challenge-response verification at the infrastructure level (such as IIS. If a simple user name or password does not meet the requirements, the user/password information must be stored in the database.

For IIS 7, a project on codeplex can solve this problem: http://custombasicauth.codeplex.com.

Custombasicauth installation method:

1. Open the command line as an administrator

Rem -----------!!! Run as administrator !!!
Rem ---
2. SetProgramSet registration to GAC

----------- 1 GAC DLLs -----------------

Rem HTTP Module
Gacutil-If leastprivilege. custombasicauthenticationmodule. dll

Rem server configuration module
Gacutil-If leastprivilege. custombasicauthentication. Management. dll

Rem client UI Module
Gacutil-If leastprivilege. custombasicauthentication. Management. Client. dll

3. Register custombasicauthentication_schema

Rem ----------- 2 register schema -----------------
Iisschema.exe/install custombasicauthentication_schema.xml

4. Registration Management Terminal

Rem ----------- 2 register management -----------------
Iisregmgmt custombasicauth leastprivilege. custombasicauthentication. Management. custombasicauthenticationmoduleprovider leastprivilege. custombasicauthentication. Management. dll

5. Set in a specific web application. refer to the following article:

Http://www.leastprivilege.com/HTTPBasicAuthenticationAgainstNonWindowsAccountsInIISASPNETPart3AddingWCFSupport.aspx

Related Articles:

Custom Security odata service-WCF Data Services

Http://franssenden.wordpress.com/2010/06/14/custom-security-odata-service-wcf-data-services/