This article transferred from: http://www.cnblogs.com/lanxiaoke/p/6353955.html
HTTP Basic Authentication
HTTP Basic authentication, which is HTTP-Basic authentication.
The client sends a request to the server that carries an authentication credential based on the username/password. The authentication voucher is in the format "{Username}:{password}" and is encoded with BASE64 encoding, and the encoded certificate is stored in the request header authorization, similar to the authorization header value: Basic mtizndu2ojeymzq1ng==. After the server receives the request, it extracts the voucher from the authorization header and decodes it, and finally implements the authentication using the extracted username and password. Once the authentication is successful, the request is processed normally and a normal response is returned.
Note: In fact, the basic parameter transmission is a good way of data transmission encryption, OH, more use of this front-end data interaction method of the project a lot, but generally with https use, this behind again.
Create a new demo
Demo is simple, create a new Attribute:basicauthorizeattribute to achieve basic certification
12345678910111213141516171819202122232425262728 |
public
class
BasicAuthorizeAttribute : AuthorizeAttribute
{
protected
override
bool
IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
if
(actionContext.Request.Method == HttpMethod.Options)
return
true
;
if
(actionContext.Request.Headers.Authorization !=
null
&& actionContext.Request.Headers.Authorization.Parameter !=
null
)
{
var
authorizationParameter = Convert.FromBase64String(actionContext.Request.Headers.Authorization.Parameter);
var
basicArray = Encoding.Default.GetString(authorizationParameter).Split(
‘:‘
);
var
userid = basicArray[0];
var
password = basicArray[1];
if
(userid ==
"123456"
&& password ==
"123456"
)
{
return
true
;
}
}
return
false
;
}
protected
override
void
HandleUnauthorizedRequest(HttpActionContext actionContext)
{
var responseMessage =
new
HttpResponseMessage(HttpStatusCode.Unauthorized);
responseMessage.Headers.Add(
"WWW-Authenticate"
,
"Basic"
);
throw
new
HttpResponseException(responseMessage);
}
}
|
1, convert.frombase64string this sentence is to decrypt the BASE64 encrypted message in the authorization value, and then get the formatted user login data: {Username}:{password}
User userid can be customized to verify the user's legitimacy
2, Handleunauthorizedrequest Rewrite This method is for the server to return to the Basic authentication format, that is, the foreground popup of the login box,
and BASE64 encryption and message transmission this is not a basic authentication unique, our form data transfer can be used in this way
The usage is also very simple, the Apicontroller or method is added to the top properties, such as:
12345 |
[BasicAuthorize] public IEnumerable< string > Get() { return new string [] { "value1" , "value2" }; } |
Okay, let's take a look at the allowable effects.
As scheduled, enter the user account to see the resources accessed
BASE64 encryption is very low, it is generally not directly in this way to encrypt the transmission of data
Because base64 encryption is stored in the client message, and decryption is very simple, almost equivalent to the plaintext transmission, without any custom key encryption, all generally not recommended
If it is necessary to use base64 + HTTPS, we will run the program in the HTTPS environment below.
1. IIS Express properties, enabling SSL
Development environment vs. SSL is so simple, hehe.
2, run the website again, show normal
3. Click OK
Why? Very confused, isn't it?? It is not said that HTTPS is encrypted transmission, but the authorization information appears to be transmitted in clear text.
Oh, this question I also puzzled for a long time.
4, we first look at http and https different places
A layer of SSL, this SSL layer is not reflected in the web side , so we see HTTP and HTTPS run, access to/api/values generated by the HTML encoding is the same
The difference is the way HTTPS is transmitted, the transmission is encrypted
In addition, the content in the client and the server is clear text display, oh, we have to pay attention to.
5, for the HTTPS transmission encryption research, has gone beyond the scope of this chapter, according to my online understanding, HTTPS under certain conditions can also be caught packet.
However, after the encrypted data, no private key to grab the package is useless. All safe to use
ASP. NET Permission Authentication series
- asp: Forms Authentication
- asp: HTTP Basic authentication (HTTP base)
- NET rights authentication: Windows Authentication
- asp: Digest Authentication (Digest authentication)
- asp: Owin Implementation of OAuth 2.0 client-side mode (credential)
- asp: Owin Implementation of the OAuth 2.0 password mode (Resource Owner Password credential)
- asp: Owin Implementation of the OAuth 2.0 Authorization Code mode (Authorization code)
- asp: Owin Implementation of the OAuth 2.0 simplified mode (implicit)
Category: Permission authentication
[Transfer]asp.net Authority Authentication: HTTP Basic Authentication