I am currently working on the application that need to simulate basic
authentication programmatically using user's credentials that are known.
Basically, the need is for a single sign on with a third party application.
The scenario is the following: a third party application (iChain I believe,
from Novell) is used to authenticate the user against Novell eDirectory. Once
authentication is complete a user is taken to a portal from which they are
able to access application A. Application A is a ASP.NET application running
on IIS 6. Right now I am thinking of having developers of portal to pass
user's credentials either as form fields or header value and then use those
credentials to simulate basic authentication in ASP.NET portal without the
password popup screen that is usually seen by users when entering a website
with Basic Authentication setup. I would assume that changing the header
value and adding "Authorization" header with username:password value in
Base64 would do the trick, however I realized that the Request is a read only
object within the application and cannot be modified. Right now I have the
following chunk of code that does what I need, however, its only does it when
called this way. since the request object I've created is a seperate request,
the only way to pass credentials is using that request object, however I need
to be able to authenticate user once and then permit browse of entire ASP.NET
application as authenticated user. I am not sure how to do it and I need some
help.
// I am getting user name and password for testing purpose
username = ConfigurationManager.AppSettings.Get("username");
password = ConfigurationManager.AppSettings.Get("password");
Response.Clear();
string usernamePassword1 = username + ":" + password;
// Request is created that will call a page named "Authenticated.aspx"
// Authenticated.aspx page contains a code for accessing Northwind database
using integrated security.
// This is done in order to use Basic Authentication with delegation to SQL
Server which will execute queries and stored
// procedures as that user. Currently, the code below works, but it only
works using the HttpWebRequest object I've created
HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://"; +
ConfigurationManager.AppSettings.Get("reqUrl"));
CredentialCache mycache = new CredentialCache();
// Credentials are specified here
mycache.Add(new Uri("http://"; +
ConfigurationManager.AppSettings.Get("reqUrl")), "Basic", new
NetworkCredential(username, password));
req.Credentials = mycache;
// This header is not neccessary for the peice of code to work, however, I
was thinkng that it might actually
// stay with all of the request therefore making the basic authentication
work. It does not stay with all requests and response
// only with this current request.
req.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new
ASCIIEncoding().GetBytes(usernamePassword1)));
HttpWebResponse res;
// I am calling getResponse method to get the response for the request
created above
res = (HttpWebResponse)req.GetResponse();
//Response.Write(res.StatusCode);
// Here I analyze the Status code and if it was OK then I am using
Server.Transfer to transfer
// the control to a different page. As I understand server.transfer keeps
the existing headers
// while Response.Redirect clears them out. I was thinking that by doing
server.transfer the header
// create above, "Authorization", will persist and allow the authentication
to stay for the session,
/// however, this does not work. Once I stop using res object, the
application is no longer authenticated
// and page fails to access the database since there are no credentials there.
if (res.StatusCode == HttpStatusCode.OK)
{
Debug.Write(Response.StatusCode);
Server.Transfer(ConfigurationManager.AppSettings.G et("reqUrlVirtual"));
}
else
Response.Write("Error: " + res.StatusCode);
I need to know how to make this scenario work. I need to enter ASP.NET
application and authenticate that user based on credentials passed to me
whichever way. If you know of a different solution, please let me know.
Sincerely,
Konstantin
