Looking for some general design recommendations on an authentication scheme
for B2B transactions inbound via an HTTP Post Listener ASPX page that reads
the binary stream from the request body. I would like to add an
authentication process that validates the incoming transaction prior to
processing the post content. Although adding username and password to the
post content is feasable, it is one of the last solutions since it will
involve many customer's to reformat their messages.
Some design ideas that I have in mind are adding a custom request header to
store username and pswd.
Recommendations please. 14 3121
You should look into Basic Authentication then.
-Brock
DevelopMentor http://staff.develop.com/ballen Looking for some general design recommendations on an authentication scheme for B2B transactions inbound via an HTTP Post Listener ASPX page that reads the binary stream from the request body. I would like to add an authentication process that validates the incoming transaction prior to processing the post content. Although adding username and password to the post content is feasable, it is one of the last solutions since it will involve many customer's to reformat their messages.
Some design ideas that I have in mind are adding a custom request header to store username and pswd.
Recommendations please.
Here is a link to very good resource for web authentication topics...not
your exact one I think, but it might help : http://msdn.microsoft.com/library/de...cnetlpmsdn.asp
"Chris Fink" <Ch*******@discussions.microsoft.com> wrote in message
news:D9**********************************@microsof t.com... Looking for some general design recommendations on an authentication scheme for B2B transactions inbound via an HTTP Post Listener ASPX page that reads the binary stream from the request body. I would like to add an authentication process that validates the incoming transaction prior to processing the post content. Although adding username and password to the post content is feasable, it is one of the last solutions since it will involve many customer's to reformat their messages.
Some design ideas that I have in mind are adding a custom request header to store username and pswd.
Recommendations please.
Can you elaborate more on the basic authentication design?
I assume it would involve setting the Request Header's authorization tag and
then placing the username and password seperated by a colon, and then reading
the authorization tag in the reponse and handling it appropriately.
Only issue is that I cannot set the Request Header authorization since it is
read only.
Any ideas's?
"Brock Allen" wrote: You should look into Basic Authentication then.
-Brock DevelopMentor http://staff.develop.com/ballen Looking for some general design recommendations on an authentication scheme for B2B transactions inbound via an HTTP Post Listener ASPX page that reads the binary stream from the request body. I would like to add an authentication process that validates the incoming transaction prior to processing the post content. Although adding username and password to the post content is feasable, it is one of the last solutions since it will involve many customer's to reformat their messages.
Some design ideas that I have in mind are adding a custom request header to store username and pswd.
Recommendations please.
> I assume it would involve setting the Request Header's authorization tag and then placing the username and password seperated by a colon, and then reading the authorization tag in the reponse and handling it appropriately.
Yep, that's the gist. Here's the RFC: http://www.faqs.org/rfcs/rfc2617.html
Only issue is that I cannot set the Request Header authorization since it is read only.
I don't follow.. what do you mean? Are you building the client or the server
or both?
-Brock
DevelopMentor http://staff.develop.com/ballen
Brock,
Have you tried this? The Request.Authorization is read only?
I like this approach, just unsure if it can be done?
"Brock Allen" wrote: I assume it would involve setting the Request Header's authorization tag and then placing the username and password seperated by a colon, and then reading the authorization tag in the reponse and handling it appropriately.
Yep, that's the gist. Here's the RFC:
http://www.faqs.org/rfcs/rfc2617.html
Only issue is that I cannot set the Request Header authorization since it is read only.
I don't follow.. what do you mean? Are you building the client or the server or both?
-Brock DevelopMentor http://staff.develop.com/ballen
>The Request.Authorization is read only?
So this is in the server. Of course it's read only as it's the information
posted to you.
So let's start over. You need to authenticate in your server. How are you
storing the credentials? Are they windows accounts, or is it stored in your
own custom database? If it's a windows account, then letting IIS manage the
aspects of Basic Authentication is the way to go. It won't let the request
in unless they've passed the proper credentials. If it's your own database,
then you'll have to read the headers (the ones that are read only) and do
the check yourself.
I feel like I'm missing something about your question... So sorry if this
doesn't address exactly whatyou're looking for.
-Brock
DevelopMentor http://staff.develop.com/ballen
Credentials are stored in the database, for example licenseKey=12345.
The customer is making a request to webpage1.aspx and performing an http
post with their message in the the request body. My design is to tell the
customer to send their licenseKey 12345 as a custom header in the request,
then when the webpage is processing the request it will retrieve this key
along with the request body (data).
The only thing that is unknown is how do I tell the customer to send in the
licenseKey as a request header and how does the application then read it in
during the processing? Can custom request headers be made or can I fill this
data into the current Http.Authorization header?
From my findings, a cannot create a custom request header, or change an
pre-existing one. That said, this design may not be the correct approach.
Thanks for all your feedback, I appreciate it.
"Brock Allen" wrote: The Request.Authorization is read only?
So this is in the server. Of course it's read only as it's the information posted to you.
So let's start over. You need to authenticate in your server. How are you storing the credentials? Are they windows accounts, or is it stored in your own custom database? If it's a windows account, then letting IIS manage the aspects of Basic Authentication is the way to go. It won't let the request in unless they've passed the proper credentials. If it's your own database, then you'll have to read the headers (the ones that are read only) and do the check yourself.
I feel like I'm missing something about your question... So sorry if this doesn't address exactly whatyou're looking for.
-Brock DevelopMentor http://staff.develop.com/ballen
> The only thing that is unknown is how do I tell the customer to send in the licenseKey as a request header and how does the application then read it in during the processing? Can custom request headers be made or can I fill this data into the current Http.Authorization header?
SO whatever technology they're using to create the HTTP request, they'll
have some API to add headers. DO you know who the client is? What technology
are they using. .NET? Or something else? Like I said, in any case, they'll
have some API to add a header.
In the server (your code) you simply access Request.Headers["YourHeaderID"]
which returns a string. You don't need to modify this in the server, just
read it to do your authentication.
I think your design sounds fine as long as the clients are fine with putting
the custom header in there. If they're writing code to access your server,
then this should not be a problem. The only additional thing I'd like to
see in your design is to always use SSL for your server. HTTP is sent across
the network in plaintext, so I can sniff the network packets and steal the
header.
-Brock
DevelopMentor http://staff.develop.com/ballen
For simplicity assume the customer is using asp.net. I would like to write a
test client to add the request.authorization header, but unable to find a way
to set this header. I am not sure that this is possible. Do you have any
samples?
SSL is the current solution. Thanks again!
"Brock Allen" wrote: The only thing that is unknown is how do I tell the customer to send in the licenseKey as a request header and how does the application then read it in during the processing? Can custom request headers be made or can I fill this data into the current Http.Authorization header?
SO whatever technology they're using to create the HTTP request, they'll have some API to add headers. DO you know who the client is? What technology are they using. .NET? Or something else? Like I said, in any case, they'll have some API to add a header.
In the server (your code) you simply access Request.Headers["YourHeaderID"] which returns a string. You don't need to modify this in the server, just read it to do your authentication.
I think your design sounds fine as long as the clients are fine with putting the custom header in there. If they're writing code to access your server, then this should not be a problem. The only additional thing I'd like to see in your design is to always use SSL for your server. HTTP is sent across the network in plaintext, so I can sniff the network packets and steal the header.
-Brock DevelopMentor http://staff.develop.com/ballen
So to write a test client, look into the System.Web.HttpWebRequest and System.Web.HttpWebResponse
classes.
-Brock
DevelopMentor http://staff.develop.com/ballen For simplicity assume the customer is using asp.net. I would like to write a test client to add the request.authorization header, but unable to find a way to set this header. I am not sure that this is possible. Do you have any samples?
SSL is the current solution. Thanks again!
"Brock Allen" wrote:
The only thing that is unknown is how do I tell the customer to send in the licenseKey as a request header and how does the application then read it in during the processing? Can custom request headers be made or can I fill this data into the current Http.Authorization header? SO whatever technology they're using to create the HTTP request, they'll have some API to add headers. DO you know who the client is? What technology are they using. .NET? Or something else? Like I said, in any case, they'll have some API to add a header.
In the server (your code) you simply access Request.Headers["YourHeaderID"] which returns a string. You don't need to modify this in the server, just read it to do your authentication.
I think your design sounds fine as long as the clients are fine with putting the custom header in there. If they're writing code to access your server, then this should not be a problem. The only additional thing I'd like to see in your design is to always use SSL for your server. HTTP is sent across the network in plaintext, so I can sniff the network packets and steal the header.
-Brock DevelopMentor http://staff.develop.com/ballen
Brock,
After several attempts I have determined that a custom HTTP header cannot be
added and retrieved in .Net.
Following is a supporting article that reiterates my discovery. http://www.asp.net/Default.aspx?tabindex=9&tabid=48
If you know otherwise, or have done something similar, please let me know
since this hurdle puts an end to my design.
Thanks again for your feedback
"Brock Allen" <ba****@NOSPAMdevelop.com> wrote in message
news:48**********************@msnews.microsoft.com ... So to write a test client, look into the System.Web.HttpWebRequest and
System.Web.HttpWebResponse classes.
-Brock DevelopMentor http://staff.develop.com/ballen For simplicity assume the customer is using asp.net. I would like to write a test client to add the request.authorization header, but unable to find a way to set this header. I am not sure that this is possible. Do you have any samples?
SSL is the current solution. Thanks again!
"Brock Allen" wrote:
The only thing that is unknown is how do I tell the customer to send in the licenseKey as a request header and how does the application then read it in during the processing? Can custom request headers be made or can I fill this data into the current Http.Authorization header?
SO whatever technology they're using to create the HTTP request, they'll have some API to add headers. DO you know who the client is? What technology are they using. .NET? Or something else? Like I said, in any case, they'll have some API to add a header.
In the server (your code) you simply access Request.Headers["YourHeaderID"] which returns a string. You don't need to modify this in the server, just read it to do your authentication.
I think your design sounds fine as long as the clients are fine with putting the custom header in there. If they're writing code to access your server, then this should not be a problem. The only additional thing I'd like to see in your design is to always use SSL for your server. HTTP is sent across the network in plaintext, so I can sniff the network packets and steal the header.
-Brock DevelopMentor http://staff.develop.com/ballen
> After several attempts I have determined that a custom HTTP header cannot be added and retrieved in .Net.
You can add a header, and send it to the browser.
You can retrieve any header send by the browser to the server.
But typically, the browser does not add headers it receives to requests it
sends out. That's what the article says.
Greetings,
Wessel
Wessel,
Have you tried to add a custom header in the request (prior to page posting)
and then retrieve it in the response (after page post)? I cannot be done,
using IIS and .NET, at least.
"Wessel Troost" wrote: After several attempts I have determined that a custom HTTP header cannot be added and retrieved in .Net. You can add a header, and send it to the browser. You can retrieve any header send by the browser to the server.
But typically, the browser does not add headers it receives to requests it sends out. That's what the article says.
Greetings, Wessel
> Have you tried to add a custom header in the request (prior to page posting) and then retrieve it in the response (after page post)? I cannot be done, using IIS and .NET, at least.
Sure I have. Put this in an .asmx page:
private void Page_Load(object sender, System.EventArgs e)
{
Response.AddHeader( "CustomHeaderFromServer",
Request.Headers["CustomHeaderFromClient"] );
}
From a client, call the web page like this:
// Set up the request to the server
string sRequest = "GET / HTTP/1.0";
HttpWebRequest myRequest = (HttpWebRequest)
HttpWebRequest.Create( "http://yoururl/" );
myRequest.Headers.Add( "CustomHeaderFromClient",
"CustomDataFromClient" );
myRequest.Method = "POST";
// Post the request to the server
StreamWriter sw = new StreamWriter(
myRequest.GetRequestStream() );
sw.Write( sRequest );
sw.Close();
// Read response from the server
HttpWebResponse myResponse = (HttpWebResponse)
myRequest.GetResponse();
string sData = myResponse.Headers["CustomHeaderFromServer"];
After this, sData will contain the header information from the request:
"CustomDataFromClient"
Of course, the average web server doesn't mirror your headers back to
you. You have to control the server to do that.
Greetings,
Wessel This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Steve Lloyd |
last post by:
Hi,
This is bit of an open question and is more of a theoretical one that an
actual coding question but would appreciate some pointers
I want to send some data to an external server that will...
|
by: Jure P |
last post by:
How can i call Web Service method with HTTP-POST(GET) where windows
authentication is required?
than you, J
|
by: Patrick Fogarty |
last post by:
I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication...
|
by: jens Jensen |
last post by:
Hello,
I was given the task to build a .Net client that will talk to IBM
integration server via HTTP post.
The idea is that each http packet exchange should be authenticated via X09
"client...
|
by: test |
last post by:
Hi everyone,
I'm creating a desktop Python application that requires web-based
authentication for accessing additional application features.
HTTP GET is really simple.
HTTP POST is not (at...
|
by: Tony Stephens |
last post by:
Hi,
I've created a small forms based application in c# to test a vendor's
product and the web service interface that it exposes. We have deployed two
instances of the vendor product one which...
|
by: Jason Zhou |
last post by:
I understand how to consume a web service by registering it as a web
reference in my project, but how to use HTTP Post to call a web service? For
example I have a web service called TestService,...
|
by: Gilles Ganault |
last post by:
Hello
I have a PHP script rss.php that serves RSS to clients. It
work fine, but I'd like to server customized contents, and for this, I
need to know who the user is.
Unless there's a better...
|
by: Max |
last post by:
Following the tutorial at http://personalpages.tds.net/~kent37/kk/00010.html,
I understand how to access HTTP basic authenticated pages or form-
based authenticated pages. How would I access a page...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |