473,372 Members | 1,506 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,372 software developers and data experts.

Authentication not working on HTTP-POST using NetworkCredential


I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication as per RFC 2617
(http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
failing. The server requires the header to be present with the request.
For security reasons, it will not reply in any way if the header is not
present.

More specifically, my attempts fail when attempting to attach a
'NetworkCredential' object to the 'Credentials' property of a
'HttpWebRequest' object. If I create the header manually, everything works
fine. When attempting to do it 'the Microsoft Way' no authentication
information is sent in the header, even if I set 'PreAuthenticate' = true.

What am I missing? Below are two examples. Each has the code to send the
request followed by the captured request header.
- Patrick

------------------------------------------------------------
<< the code that fails >>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

request.PreAuthenticate = true;
request.Credentials = new NetworkCredential("JoeBlow","MountainHo");

request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000

------------------------------------------------------------
<< the code that works>>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

// 'GetManualAuthorization' written by me to generate RFC2617-compliant
basic authentication header
request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
"MountainHo"));
request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000
Nov 22 '05 #1
3 6829
Hi Patrick,

The reason you are not seeing the credentials passed on the
inital request to the web server is because Microsoft is following
section 2 of RFC 2617(http://www.faqs.org/rfcs/rfc2617.html)

Hereís the main benefit of using pre-authenticate. Suppose Iím going to
make 50
requests to <http://server/path/> and this URL is protected with Basic
authentication. On the first request, the client gets challenged by the
server and
sends back a second request which contains information that the server
accepts
(assuming auth succeeds) so it can send back the requested resource.
With the pre-authenticate property set to true:
The remaining 49 requests will include the authorization information in the
first
request they send to the server so the server will not challenge the client
and
force it to do another round trip before getting the resource.
The total number of roundtrips between client and server will be 51.
With the pre-authenticate property set to false:
The remaining 49 requests will not include the authorization information in
the
first request and will therefore be challenged by the server on each first
request
and will only get the desired resource after sending the authorization
header in
the second request.
The total number of roundtrips between client and server will be 100.
In other words, pre-authenticate=true is one request shy of taking half the
time of
pre-authenticate=false. Note that pre-authentication only works for Digest
and
Basic in v1.0. It canít work for NTLM because it is connection-based
however the
fact that it is connection based means that youíll only get challenged once
per
connection so it isnít an issue if you are caching connections. In the
Whidbey
release of the .NET Framework weíll also support pre-authentication for
Kerberos.

In order to get the inital request to send credentials, you will need to
use the
workaround of overriding the GetWebRequest method in the proxy code.

(Hack code obtained from the Internet)
The PreAuthenticate property on .NET's
System.Web.Services.Protocols.SoapHttpClientProtoc ol is supposed to force
the SOAP
client proxy to send credentials with the first request, rather than doing
the
challenge/response exchange. If you add the following code to your SOAP
Client
proxy, you can make PreAuthenticate work (this example is for basic
authentication):
protected override System.Net.WebRequest
GetWebRequest(Uri uri) {
System.Net.HttpWebRequest request =
(System.Net.HttpWebRequest)base.GetWebRequest(uri) ;
if (this.PreAuthenticate) {
System.Net.NetworkCredential nc =
this.Credentials.GetCredential(uri,"Basic");
if (nc != null) {
byte[] credBuf =
new System.Text.UTF8Encoding().
GetBytes(nc.UserName + ":" + nc.Password);
request.Headers["Authorization"] =
"Basic " + Convert.ToBase64String(credBuf);
}
}
return request;
}

This work around modifies the web service proxy class which is
automatically generated. This means every time someone updates a "web
reference" in
Dev Studio, they would need to reinsert the "hack" code.

Let me know if you have any questions or conerns.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--------------------
From: "Patrick Fogarty" <pa*************@spam.hotmail.no.com>
Subject: Authentication not working on HTTP-POST using NetworkCredential
Date: Mon, 25 Aug 2003 13:49:49 -0400
Lines: 82
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <ev**************@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es,microsoft.public.dotnet
framework.webservices,microsoft.public.dotnet.gene ralNNTP-Posting-Host: ool-182e5a0b.dyn.optonline.net 24.46.90.11
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.webservices:1297
microsoft.public.dotnet.general:105997
microsoft.public.dotnet.framework.aspnet.webservic es:19007X-Tomcat-NG: microsoft.public.dotnet.general
I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication as per RFC 2617
(http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
failing. The server requires the header to be present with the request.
For security reasons, it will not reply in any way if the header is not
present.

More specifically, my attempts fail when attempting to attach a
'NetworkCredential' object to the 'Credentials' property of a
'HttpWebRequest' object. If I create the header manually, everything works
fine. When attempting to do it 'the Microsoft Way' no authentication
information is sent in the header, even if I set 'PreAuthenticate' = true.

What am I missing? Below are two examples. Each has the code to send the
request followed by the captured request header.
- Patrick

------------------------------------------------------------
<< the code that fails >>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

request.PreAuthenticate = true;
request.Credentials = new NetworkCredential("JoeBlow","MountainHo");

request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000

------------------------------------------------------------
<< the code that works>>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

// 'GetManualAuthorization' written by me to generate RFC2617-compliant
basic authentication header
request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
"MountainHo"));
request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000


Nov 22 '05 #2
Peter -

I want to thank you for that thorough response.

I kind of suspected that was the case. Sometimes you have to read a RFC a
few hundred times to translate from theory to practical use. I had made
mention (to the authors of the server) that no challenge was being issued.
Unfortunately, especially in the industry that I am in, not responding (and
just closing the connection) in the absence of proper credentials is very
common. It prevents an accidental or deliberate probe of a URL from
divulging information that can be used to mount a subsequent attack.

The hack that you included below is similar to the one I did myself. I
merely put it in a method of a utility class rather than one of a derived
class.
- Patrick


"Peter Huang [MSFT]" <v-******@online.microsoft.com> wrote in message
news:XH**************@cpmsftngxa06.phx.gbl...
| Hi Patrick,
|
| The reason you are not seeing the credentials passed on the
| inital request to the web server is because Microsoft is following
| section 2 of RFC 2617(http://www.faqs.org/rfcs/rfc2617.html)
|
| Hereís the main benefit of using pre-authenticate. Suppose Iím going to
| make 50
| requests to <http://server/path/> and this URL is protected with Basic
| authentication. On the first request, the client gets challenged by the
| server and
| sends back a second request which contains information that the server
| accepts
| (assuming auth succeeds) so it can send back the requested resource.
| With the pre-authenticate property set to true:
| The remaining 49 requests will include the authorization information in
the
| first
| request they send to the server so the server will not challenge the
client
| and
| force it to do another round trip before getting the resource.
| The total number of roundtrips between client and server will be 51.
| With the pre-authenticate property set to false:
| The remaining 49 requests will not include the authorization information
in
| the
| first request and will therefore be challenged by the server on each first
| request
| and will only get the desired resource after sending the authorization
| header in
| the second request.
| The total number of roundtrips between client and server will be 100.
| In other words, pre-authenticate=true is one request shy of taking half
the
| time of
| pre-authenticate=false. Note that pre-authentication only works for Digest
| and
| Basic in v1.0. It canít work for NTLM because it is connection-based
| however the
| fact that it is connection based means that youíll only get challenged
once
| per
| connection so it isnít an issue if you are caching connections. In the
| Whidbey
| release of the .NET Framework weíll also support pre-authentication for
| Kerberos.
|
| In order to get the inital request to send credentials, you will need to
| use the
| workaround of overriding the GetWebRequest method in the proxy code.
|
| (Hack code obtained from the Internet)
| The PreAuthenticate property on .NET's
| System.Web.Services.Protocols.SoapHttpClientProtoc ol is supposed to force
| the SOAP
| client proxy to send credentials with the first request, rather than doing
| the
| challenge/response exchange. If you add the following code to your SOAP
| Client
| proxy, you can make PreAuthenticate work (this example is for basic
| authentication):
| protected override System.Net.WebRequest
| GetWebRequest(Uri uri) {
| System.Net.HttpWebRequest request =
| (System.Net.HttpWebRequest)base.GetWebRequest(uri) ;
| if (this.PreAuthenticate) {
| System.Net.NetworkCredential nc =
| this.Credentials.GetCredential(uri,"Basic");
| if (nc != null) {
| byte[] credBuf =
| new System.Text.UTF8Encoding().
| GetBytes(nc.UserName + ":" + nc.Password);
| request.Headers["Authorization"] =
| "Basic " + Convert.ToBase64String(credBuf);
| }
| }
| return request;
| }
|
| This work around modifies the web service proxy class which is
| automatically generated. This means every time someone updates a "web
| reference" in
| Dev Studio, they would need to reinsert the "hack" code.
|
| Let me know if you have any questions or conerns.
|
| Regards,
| Peter Huang
| Microsoft Online Partner Support
| Get Secure! www.microsoft.com/security
| This posting is provided "as is" with no warranties and confers no rights.
Nov 22 '05 #3
Hi Patrick,

I am glad that you have gotten a workaround yourself.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--------------------
From: "Patrick Fogarty" <pa*************@spam.hotmail.no.com>
References: <ev**************@TK2MSFTNGP12.phx.gbl> <XH**************@cpmsftngxa06.phx.gbl>Subject: Re: Authentication not working on HTTP-POST using NetworkCredentialDate: Tue, 26 Aug 2003 09:13:29 -0400
Lines: 118
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <OK*************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.general
NNTP-Posting-Host: ool-18ba9dd9.dyn.optonline.net 24.186.157.217
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.general:106081
X-Tomcat-NG: microsoft.public.dotnet.general

Peter -

I want to thank you for that thorough response.

I kind of suspected that was the case. Sometimes you have to read a RFC a
few hundred times to translate from theory to practical use. I had made
mention (to the authors of the server) that no challenge was being issued.
Unfortunately, especially in the industry that I am in, not responding (and
just closing the connection) in the absence of proper credentials is very
common. It prevents an accidental or deliberate probe of a URL from
divulging information that can be used to mount a subsequent attack.

The hack that you included below is similar to the one I did myself. I
merely put it in a method of a utility class rather than one of a derived
class.
- Patrick


"Peter Huang [MSFT]" <v-******@online.microsoft.com> wrote in message
news:XH**************@cpmsftngxa06.phx.gbl...
| Hi Patrick,
|
| The reason you are not seeing the credentials passed on the
| inital request to the web server is because Microsoft is following
| section 2 of RFC 2617(http://www.faqs.org/rfcs/rfc2617.html)
|
| Hereís the main benefit of using pre-authenticate. Suppose Iím going to
| make 50
| requests to <http://server/path/> and this URL is protected with Basic
| authentication. On the first request, the client gets challenged by the
| server and
| sends back a second request which contains information that the server
| accepts
| (assuming auth succeeds) so it can send back the requested resource.
| With the pre-authenticate property set to true:
| The remaining 49 requests will include the authorization information in
the
| first
| request they send to the server so the server will not challenge the
client
| and
| force it to do another round trip before getting the resource.
| The total number of roundtrips between client and server will be 51.
| With the pre-authenticate property set to false:
| The remaining 49 requests will not include the authorization information
in
| the
| first request and will therefore be challenged by the server on each first| request
| and will only get the desired resource after sending the authorization
| header in
| the second request.
| The total number of roundtrips between client and server will be 100.
| In other words, pre-authenticate=true is one request shy of taking half
the
| time of
| pre-authenticate=false. Note that pre-authentication only works for Digest| and
| Basic in v1.0. It canít work for NTLM because it is connection-based
| however the
| fact that it is connection based means that youíll only get challenged
once
| per
| connection so it isnít an issue if you are caching connections. In the
| Whidbey
| release of the .NET Framework weíll also support pre-authentication for
| Kerberos.
|
| In order to get the inital request to send credentials, you will need to
| use the
| workaround of overriding the GetWebRequest method in the proxy code.
|
| (Hack code obtained from the Internet)
| The PreAuthenticate property on .NET's
| System.Web.Services.Protocols.SoapHttpClientProtoc ol is supposed to force
| the SOAP
| client proxy to send credentials with the first request, rather than doing| the
| challenge/response exchange. If you add the following code to your SOAP
| Client
| proxy, you can make PreAuthenticate work (this example is for basic
| authentication):
| protected override System.Net.WebRequest
| GetWebRequest(Uri uri) {
| System.Net.HttpWebRequest request =
| (System.Net.HttpWebRequest)base.GetWebRequest(uri) ;
| if (this.PreAuthenticate) {
| System.Net.NetworkCredential nc =
| this.Credentials.GetCredential(uri,"Basic");
| if (nc != null) {
| byte[] credBuf =
| new System.Text.UTF8Encoding().
| GetBytes(nc.UserName + ":" + nc.Password);
| request.Headers["Authorization"] =
| "Basic " + Convert.ToBase64String(credBuf);
| }
| }
| return request;
| }
|
| This work around modifies the web service proxy class which is
| automatically generated. This means every time someone updates a "web
| reference" in
| Dev Studio, they would need to reinsert the "hack" code.
|
| Let me know if you have any questions or conerns.
|
| Regards,
| Peter Huang
| Microsoft Online Partner Support
| Get Secure! www.microsoft.com/security
| This posting is provided "as is" with no warranties and confers no rights.


Nov 22 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

14
by: John Davis | last post by:
Anyone knows how to create the username/password authorization dialog in ASP? Thanks, John
1
by: Hugh McLaughlin | last post by:
Hello Everyone and thanks for your help in advance. I recently installed Visual Studio 2003 and .Net 1.1. I then converted one of my applications to 2003. However, I am running into a probelm...
2
by: Kian Goh | last post by:
Hi there, I am trying to use an entry level security for my resources website. I followed the procedures in the MS published Self-Paced Training Kit, everything seems working as expected....
1
by: Galore | last post by:
Hello! I wonder if there's a way to a web site has both kinds of authentication: windows and forms. The web application I'm working on will be accessed by two kind of users: administrators, that...
2
by: Dan | last post by:
hi ng, i have a problem with windows authentification. i want to forward every user who 1. is not authorized 2. or could not be authenticated to a login page -------------------
3
by: Paul Mason | last post by:
Hi folks, An odd one for the start of this week. I have a web project that I have taken over from a colleague. He had the authentication set to windows, but I have now changed that to forms...
1
by: Shapper | last post by:
Hello, I am developing a web site where half of the pages are public and the other half are accessible only to registered users. The pages which are accessible only to registered users have...
8
by: Tomasz | last post by:
Hello Developers! I have an interesting problem using my custom MembershipProvider, RoleProvider and Forms Authentication. Both MembershipProvider and RoleProvider require session state, where...
2
by: WT | last post by:
Hello, I tryed to fix a variable with the current authentication mode, I tryed to use Request.LogonUserIdentity AuthenticationType for this but when I traced with this code if...
1
by: =?Utf-8?B?U3RlcGhhbmU=?= | last post by:
Hi, I have a problem with Integrated Windows Authentication on one server (Win Server 2003 SP2 IIS 6.0 ASP.Net 1.4). Let's say I want to disable anonymous connections to an admin directory, I...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.