开发者

Supporting multiple authentication policies in ASP.NET 4 Web application

开发者 https://www.devze.com 2023-02-10 05:41 出处:网络
Consider an application that includes a set of ReST web services built using ASP.NET 4 and native C++ IIS modules.

Consider an application that includes a set of ReST web services built using ASP.NET 4 and native C++ IIS modules.

We need to be able to support 2 authentication policies:

  • internal users can call our ReST endpoints directly from inside another client application(say implemented in Silverlight or Java), where they are already authenticated against an internal single sign on provider, supplying a security token as part of the HTTP call.

  • for test, we want to allow users to access the ReST endpoint using a browser, so we need to allow them to authenticate by entering user name/password(which we will check against the single sign on provide on the web server). For this we are considering using ASP.NET Forms or Digest.

(so in one case user is already authenticated - but we need to verify this for every call, in the other case w开发者_JAVA百科e need to challenge them to provide the credentials)

The question is how to support these 2 scenarios.

I cannot find a solution which will work in both cases:

  • If I get a call from an application(non-browser) and the token is missing, I cannot redirect them to login.aspx as the application that's calling us doesn't know what to do with a bunch of HTML(login form). I need to return response code 401.

  • However, if I get a call from a web browser, which has not been authenticated, I cannot return 401 without offering the user the possibility of entering their credentials.

Has anyone faced this problem before ?

Thanks in advance.

P.S. The fact that some web services will be implemented in C++ complicates things, but if we go with forms authentication at least I can use integrated pipeline and use forms for the native module as well.


We are going to implement multiple authentication schemes using the HTTP headers and each client type will respond to the challenge that it supports.

For example:

  • client requests a resource
  • server reponds with 401 and WWW-Authenticate: Basic, Custom Realm: secure area
  • browsers can respond with credentials according to basic access authentication(for example)
  • calls from within other applications that have already authenticated the users will provide token using the "Custom" authentication scheme.

We are also going to create a custom authentication HttpModule implement in .NET which will be used for the entire web site(including applications implemented in c+++).

0

精彩评论

暂无评论...
验证码 换一张
取 消