Custom authentication in a web application

Jon Skeet [C# MVP] wrote:

I've run against a problem which I'm *sure* must be easy to solve - but
I'm blowed if I can find the answer :(

I have a web service which I want to require authentication. I need to
authenticate using a database lookup, so Windows, Passport and Forms
authentication are (as far as I can tell) no good to me.

I don't need impersonation.

I would like to use HTTP basic or preferrably digest authentication -
and this is from a Pocket PC Compact Framework client, if that makes
any odds. If necessary, I can write my own custom authentication module
for the client to use non-standard headers if that helps, but obviously
I'd rather not. (I *think* I know how to do that, admittedly.)

My problem is working out what to do on the server side. I basically
need to intercept the request at the point of authentication, and
insert my own authentication module at that point. I *suspect* I need
to implement IHttpModule, but I'm not sure. If I do, I've no idea where
to put anything to use it.

This must be simple, as it's no doubt a very common requirement. Anyone
care to put me out of my misery?

We do this using Windows Authentication with our security data stored in
a SQL server database. On the server we create our own principal object
that inherits from WindowsPrincipal. In Global.asax in the
AuthenticateRequest handler we replace the HttpContext.Current.User with
our principal object, passing HttpContext.Current.User.Identity as
WindowsIdentity to the constructor. Our principal object overrides the
two overloads of IsInRole to use our own security check. We have also
added a HasPermission method to our principal so we can demand a
permission whenever we need to. So our AuthenticateRequest handler
looks as follows:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// this will throw an exception if windows auth not turned on
// Also note we have to set the context here since ASP.NET will take
// what's in the context and place it on the Thread.CurrentUser property
CustomServerPrincipal princ = new CustomServerPrincipal as
WindowsIdentity);
HttpContext.Current.User = princ;

// verify that this user is authorized to get into Polaris
if (!princ.HasPermission(authUserPerm))
{
throw new
CustomSecurityException(String.Format(securityExce ptionMessage,
princ.Identity.Name));
}
}

In any server side objects where we need to demand a permission, we now
simply take the current principal from the thread as our custom
principal and demand the permission. Ex:

CustomServerPrincipal principal =
System.Threading.Thread.CurrentPrincipal as CustomServerPrincipal;
if (!principal.HasPermission(deletePermission))
{
throw new CustomSecurityException(principal, deletePermission);
}
--
Tom Porterfield

(Thanks ever so much for the reply, btw. It's a good start for me :)

Tom Porterfield <tp******@mvps.org> wrote:

We do this using Windows Authentication with our security data stored in
a SQL server database. On the server we create our own principal object
that inherits from WindowsPrincipal.
Any reason for using Windows Authentication here rather than any of the
other types?
In Global.asax in the
AuthenticateRequest handler we replace the HttpContext.Current.User with
our principal object, passing HttpContext.Current.User.Identity as
WindowsIdentity to the constructor. Our principal object overrides the
two overloads of IsInRole to use our own security check. We have also
added a HasPermission method to our principal so we can demand a
permission whenever we need to. So our AuthenticateRequest handler
looks as follows:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// this will throw an exception if windows auth not turned on
How does the behaviour differ between the situation where the user
actually *is* a valid Windows user for the system, and where they're
not? Isn't ASP.NET or IIS going to have tried to use whatever the
client provides as Windows authentication by now?
// Also note we have to set the context here since ASP.NET will take
// what's in the context and place it on the Thread.CurrentUser property
CustomServerPrincipal princ = new CustomServerPrincipal as
WindowsIdentity);
HttpContext.Current.User = princ;
Any reason for doing it as WindowsIdentity rather than just setting it
as a CustomServerPrincipal?

Presumably before setting the value you check whether the user/password
combination is valid?
// verify that this user is authorized to get into Polaris
if (!princ.HasPermission(authUserPerm))
{
throw new
CustomSecurityException(String.Format(securityExce ptionMessage,
princ.Identity.Name));
}
}
Does the type of exception matter here, out of interest?
In any server side objects where we need to demand a permission, we now
simply take the current principal from the thread as our custom
principal and demand the permission. Ex:

CustomServerPrincipal principal =
System.Threading.Thread.CurrentPrincipal as CustomServerPrincipal;
if (!principal.HasPermission(deletePermission))
{
throw new CustomSecurityException(principal, deletePermission);
}

Right - that bit I think I'm reasonably happy with.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Hi Jon,

Take a look at Greg Reinacker's digest authentication sample, I believe it
shows how to do what you want:

http://www.rassoc.com/gregr/weblog/s...Directory.html

The sample authenticates against user account information in a simple XML
file, but it should be easy to modify it to authenticate against custom user
account information in a database.

Regards,
Sami

"Jon Skeet [C# MVP]" <sk***@pobox.com> wrote in message
news:MP***********************@msnews.microsoft.co m...

I've run against a problem which I'm *sure* must be easy to solve - but
I'm blowed if I can find the answer :(

I have a web service which I want to require authentication. I need to
authenticate using a database lookup, so Windows, Passport and Forms
authentication are (as far as I can tell) no good to me.

I don't need impersonation.

I would like to use HTTP basic or preferrably digest authentication -
and this is from a Pocket PC Compact Framework client, if that makes
any odds. If necessary, I can write my own custom authentication module
for the client to use non-standard headers if that helps, but obviously
I'd rather not. (I *think* I know how to do that, admittedly.)

My problem is working out what to do on the server side. I basically
need to intercept the request at the point of authentication, and
insert my own authentication module at that point. I *suspect* I need
to implement IHttpModule, but I'm not sure. If I do, I've no idea where
to put anything to use it.

This must be simple, as it's no doubt a very common requirement. Anyone
care to put me out of my misery?

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Sami Vaaraniemi <sa**********@pleasejippii.fi> wrote:

Take a look at Greg Reinacker's digest authentication sample, I believe it
shows how to do what you want:

http://www.rassoc.com/gregr/weblog/s...ebServicesSecu
rityHttpDigestAuthenticationWithoutActiveDirectory .html

The sample authenticates against user account information in a simple XML
file, but it should be easy to modify it to authenticate against custom user
account information in a database.

Having had a very (very!) quick look at it, that looks ideal - thanks
ever so much.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Jon Skeet [C# MVP] wrote:

(Thanks ever so much for the reply, btw. It's a good start for me :)

We do this using Windows Authentication with our security data stored in
a SQL server database. On the server we create our own principal object
that inherits from WindowsPrincipal.
Any reason for using Windows Authentication here rather than any of the
other types?

This is an internal app where we have complete control of the
workstation configuration where we would be called from. We don't
necessarily know who the client is, or will be in the future.
WindowsAuthentication for web applications is company policy.

In Global.asax in the
AuthenticateRequest handler we replace the HttpContext.Current.User with
our principal object, passing HttpContext.Current.User.Identity as
WindowsIdentity to the constructor. Our principal object overrides the
two overloads of IsInRole to use our own security check. We have also
added a HasPermission method to our principal so we can demand a
permission whenever we need to. So our AuthenticateRequest handler
looks as follows:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// this will throw an exception if windows auth not turned on

How does the behaviour differ between the situation where the user
actually *is* a valid Windows user for the system, and where they're
not? Isn't ASP.NET or IIS going to have tried to use whatever the
client provides as Windows authentication by now?

Yes, so effectively there are two levels of security involved here. But
since we may not know who our client is, we don't want to rely on the
fact that they have properly authorized the user. Right now you simply
have to be authenticated to a trusted domain to execute our web
services. Another option would be to create a domain group and only
folks in that domain group have access. By using windows authentication
that is possible, but again the scenario here is we want to use our own
security database. If in the future we wanted to use true windows
authentication, or active directory, our custom principal object would
need to change but nothing else in the application would need to change.
When you know your clients are all at least running Windows, this
seemed like the logical future-protection mechanism.

// Also note we have to set the context here since ASP.NET will take
// what's in the context and place it on the Thread.CurrentUser property
CustomServerPrincipal princ = new CustomServerPrincipal as
WindowsIdentity);
HttpContext.Current.User = princ;

Any reason for doing it as WindowsIdentity rather than just setting it
as a CustomServerPrincipal?

The code didn't get in there properly. The constructor of
WindowsPrincipal takes a WindowsIdentity as the parameter. The line
should be:

CustomServerPrincipal princ = new
CustomServerPrincipal(HttpContext.Current.User.Ide ntity as WindowsIdentity);
Presumably before setting the value you check whether the user/password
combination is valid?

Since all of our users are internal, the fact that they have
successfully logged on to our domain means they are validated. And
again, maybe that is a difference here that would require a different
approach for you. So no need to check that they are valid. Rather we
only need to check to see if their ID has authority to our service.

// verify that this user is authorized to get into Polaris
if (!princ.HasPermission(authUserPerm))
{
throw new
CustomSecurityException(String.Format(securityEx ceptionMessage,
princ.Identity.Name));
}
}

Does the type of exception matter here, out of interest?

We have encapsulated the exceptions so as to capture and present the
exception information in a way that is consistent for our services. So
from a generic standpoint, no it doesn't matter.

In any server side objects where we need to demand a permission, we now
simply take the current principal from the thread as our custom
principal and demand the permission. Ex:

CustomServerPrincipal principal =
System.Threading.Thread.CurrentPrincipal as CustomServerPrincipal;
if (!principal.HasPermission(deletePermission))
{
throw new CustomSecurityException(principal, deletePermission);
}

Right - that bit I think I'm reasonably happy with.

--
Tom Porterfield