asp: HTTP Basic Authentication

First, HTTP Basic authentication

HTTP Basic authentication, which is HTTP-Basic authentication.

The client sends a request to the server that carries an authentication credential based on the username/password. The authentication voucher is in the format "{Username}:{password}" and is encoded with BASE64 encoding, and the encoded certificate is stored in the request header authorization, similar to the authorization header value: Basic mtizndu2ojeymzq1ng==. After the server receives the request, it extracts the voucher from the authorization header and decodes it, and finally implements the authentication using the extracted username and password. Once the authentication is successful, the request is processed normally and a normal response is returned.

Note: In fact, the basic parameter transmission is a good way of data transmission encryption, OH, more use of this front-end data interaction method of the project a lot, but generally with https use, this behind again.

Second, we create a new demo to explain

Demo is simple, create a new Attribute:basicauthorizeattribute to achieve basic certification

    public class Basicauthorizeattribute:authorizeattribute {protected override bool IsAuthorized (system.web. Http.Controllers.HttpActionContext actioncontext) {if (ActionContext.Request.Method = = Httpmethod.optio            NS) return true; if (actionContext.Request.Headers.Authorization! = null && ActionContext.Request.Headers.Authorization.Parameter! = null) {var authorizationparameter = Co Nvert.                FromBase64String (ActionContext.Request.Headers.Authorization.Parameter); var Basicarray = Encoding.Default.GetString (authorizationparameter).                Split (': ');                var userid = basicarray[0];                var password = basicarray[1];                if (UserID = = "123456" && password = = "123456") {return true;        }} return false;    } protected override void Handleunauthorizedrequest (Httpactioncontext actioncontext)    {var responsemessage = new Httpresponsemessage (httpstatuscode.unauthorized);            RESPONSEMESSAGE.HEADERS.ADD ("Www-authenticate", "Basic");        throw new Httpresponseexception (responsemessage); }    }

1, convert.frombase64string this sentence is to decrypt the BASE64 encrypted message in the authorization value, and then get the formatted user login data: {Username}:{password}
User userid can be customized to verify the user's legitimacy

2, Handleunauthorizedrequest Rewrite This method is for the server to return to the Basic authentication format, that is, the  foreground pop-up login box, which is the basic authentication compared to other authentication methods of the most characteristic
are almost unique, and BASE64 encryption and message transmission this is not considered to be Basic authentication, our form data transmission can be used in this way

The usage is also very simple, the Apicontroller or method is added to the top properties, such as:

        [Basicauthorize]        Public ienumerable<string> Get ()        {            return new string[] {"value1", "value2"};        }

　　

Okay, let's take a look at the allowable effects.

As scheduled, enter the user account to see the resources accessed

Third, BASE64 encryption strength is very low, it is generally not directly in this way to encrypt the transmission of data

Because base64 encryption is stored in the client message, and decryption is very simple, almost equivalent to the plaintext transmission, without any custom key encryption, all generally not recommended

If it is necessary to use base64 + HTTPS, we will run the program in the HTTPS environment below.

1. IIS Express properties, enabling SSL

Development environment vs. SSL is so simple, hehe.

2, run the website again, show normal

3. Click OK

Why? Very confused, isn't it?? It is not said that HTTPS is encrypted transmission, but the authorization information appears to be transmitted in clear text.

Oh, this question I also puzzled for a long time.

4, we first look at http and https different places

A layer of SSL, this SSL layer is not reflected in the web side , so we see HTTP and HTTPS run, access to/api/values generated by the HTML encoding is the same

The difference is the way HTTPS is transmitted, the transmission is encrypted

In addition, the content in the client and the server is clear text display, oh, we have to pay attention to.

5, for the HTTPS transmission encryption research, has gone beyond the scope of this chapter, according to my online understanding, HTTPS under certain conditions can also be caught packet.

However, after the encrypted data, no private key to grab the package is useless. All safe to use

asp: HTTP Basic Authentication