[Transfer]asp.net Authority Authentication: HTTP Basic Authentication

This article transferred from: http://www.cnblogs.com/lanxiaoke/p/6353955.html

HTTP Basic Authentication

HTTP Basic authentication, which is HTTP-Basic authentication.

The client sends a request to the server that carries an authentication credential based on the username/password. The authentication voucher is in the format "{Username}:{password}" and is encoded with BASE64 encoding, and the encoded certificate is stored in the request header authorization, similar to the authorization header value: Basic mtizndu2ojeymzq1ng==. After the server receives the request, it extracts the voucher from the authorization header and decodes it, and finally implements the authentication using the extracted username and password. Once the authentication is successful, the request is processed normally and a normal response is returned.

Note: In fact, the basic parameter transmission is a good way of data transmission encryption, OH, more use of this front-end data interaction method of the project a lot, but generally with https use, this behind again.

Create a new demo

Demo is simple, create a new Attribute:basicauthorizeattribute to achieve basic certification

12345678910111213141516171819202122232425262728

publicclassBasicAuthorizeAttribute : AuthorizeAttribute{    protectedoverrideboolIsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)    {        if(actionContext.Request.Method == HttpMethod.Options) returntrue;        if(actionContext.Request.Headers.Authorization != null&& actionContext.Request.Headers.Authorization.Parameter != null)        {            varauthorizationParameter = Convert.FromBase64String(actionContext.Request.Headers.Authorization.Parameter);            varbasicArray = Encoding.Default.GetString(authorizationParameter).Split(‘:‘);            varuserid = basicArray[0];            varpassword = basicArray[1];            if(userid == "123456"&& password == "123456")            {                returntrue;            }        }        returnfalse;    }    protectedoverridevoidHandleUnauthorizedRequest(HttpActionContext actionContext)    {        var responseMessage = newHttpResponseMessage(HttpStatusCode.Unauthorized);        responseMessage.Headers.Add("WWW-Authenticate", "Basic");        thrownewHttpResponseException(responseMessage);    }}

1

1, convert.frombase64string this sentence is to decrypt the BASE64 encrypted message in the authorization value, and then get the formatted user login data: {Username}:{password}
User userid can be customized to verify the user's legitimacy

2, Handleunauthorizedrequest Rewrite This method is for the server to return to the Basic authentication format, that is, the foreground popup of the login box,
and BASE64 encryption and message transmission this is not a basic authentication unique, our form data transfer can be used in this way

The usage is also very simple, the Apicontroller or method is added to the top properties, such as:

12345

[BasicAuthorize]publicIEnumerable<string> Get(){    return new string[] { "value1", "value2"};}

　　

Okay, let's take a look at the allowable effects.

As scheduled, enter the user account to see the resources accessed

BASE64 encryption is very low, it is generally not directly in this way to encrypt the transmission of data

Because base64 encryption is stored in the client message, and decryption is very simple, almost equivalent to the plaintext transmission, without any custom key encryption, all generally not recommended

If it is necessary to use base64 + HTTPS, we will run the program in the HTTPS environment below.

1. IIS Express properties, enabling SSL

Development environment vs. SSL is so simple, hehe.

2, run the website again, show normal

3. Click OK

Why? Very confused, isn't it?? It is not said that HTTPS is encrypted transmission, but the authorization information appears to be transmitted in clear text.

Oh, this question I also puzzled for a long time.

4, we first look at http and https different places

A layer of SSL, this SSL layer is not reflected in the web side , so we see HTTP and HTTPS run, access to/api/values generated by the HTML encoding is the same

The difference is the way HTTPS is transmitted, the transmission is encrypted

In addition, the content in the client and the server is clear text display, oh, we have to pay attention to.

5, for the HTTPS transmission encryption research, has gone beyond the scope of this chapter, according to my online understanding, HTTPS under certain conditions can also be caught packet.

However, after the encrypted data, no private key to grab the package is useless. All safe to use

ASP. NET Permission Authentication series

1. asp: Forms Authentication
2. asp: HTTP Basic authentication (HTTP base)
3. NET rights authentication: Windows Authentication
4. asp: Digest Authentication (Digest authentication)
5. asp: Owin Implementation of OAuth 2.0 client-side mode (credential)
6. asp: Owin Implementation of the OAuth 2.0 password mode (Resource Owner Password credential)
7. asp: Owin Implementation of the OAuth 2.0 Authorization Code mode (Authorization code)
8. asp: Owin Implementation of the OAuth 2.0 simplified mode (implicit)

Category: Permission authentication

[Transfer]asp.net Authority Authentication: HTTP Basic Authentication