Setting up HttpListener basic authentication

Hi Sousoux,

Welcome to MSDN newsgroup.
As for the HttpListener component in .net 2.0, it is just rely on the OS's
underlying http.sys kernal module to accept http requests... And for
Security authentication, it is done by the internal code which call
platform authentication apis to autheniticate the client request, and we
can not intercept the authentication progress... (just as we can not
intercept the IIS's authentication process when host our web application in
IIS server) If you want to do some customized athroization task based on
the authenticated client side user identity, you can get it through the
HttpListenerContext. e.g:

private void btnStart_Click(object sender, EventArgs e)
{
_httpsvc = new HttpListener();

string name = System.Environment.MachineName;

_httpsvc.Prefixes.Add("http://localhost:80/httpsvc/");
_httpsvc.Prefixes.Add("http://" + name + ":80/httpsvc/");
_httpsvc.AuthenticationSchemes =
AuthenticationSchemes.Negotiate;

_httpsvc.Start();

MessageBox.Show("http server started....");
IAsyncResult result = _httpsvc.BeginGetContext(new
AsyncCallback(ListenerCallback),_httpsvc);

MessageBox.Show("Waiting for request to be processed
asyncronously.");
}

private void btnStop_Click(object sender, EventArgs e)
{
_httpsvc.Stop();

MessageBox.Show("http server stoped....");
}
public static void ListenerCallback(IAsyncResult result)
{
HttpListener listener = (HttpListener)result.AsyncState;

HttpListenerContext context = listener.EndGetContext(result);
HttpListenerRequest request = context.Request;

HttpListenerResponse response = context.Response;

string responseString = "<HTML><BODY> Hello {0}!</BODY></HTML>";
responseString =
string.Format(responseString,context.User.Identity .Name);

byte[] buffer =
System.Text.Encoding.UTF8.GetBytes(responseString) ;

response.ContentLength64 = buffer.Length;
System.IO.Stream output = response.OutputStream;
output.Write(buffer, 0, buffer.Length);
// You must close the output stream.
output.Close();
}
The context.User.Identity just represent the authenticated client user
identity:

Hope helps.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
Thread-Topic: Setting up HttpListener basic authentication
thread-index: AcYSwqU53vYU/iV5QAieWKg30xHFLQ==
X-WBNR-Posting-Host: 80.13.134.75
From: =?Utf-8?B?TWFydGlu?= <so*****@nospam.nospam>
Subject: Setting up HttpListener basic authentication
Date: Fri, 6 Jan 2006 05:11:03 -0800
Lines: 7
Message-ID: <35**********************************@microsoft.co m>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGXA03.phx.gbl
microsoft.public.dotnet.framework.webservices:1326 4
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

How does one set up basic authentication on an HttpListener? I know I need
to
set the HttpListener.AuthenticationSchemes to AuthenticationSchemes.Basic
but
then I'm unsure how and against what (users on the PC?) the Authentication
is
occuring. Is there a way for me to receive and control the Authentication
attempt myself?

This is probably obvious but I've found nothing describing it.

That's actually not correct when it comes to basic auth. The other
types will authenticate against windows or domain users, but basic
leaves it in your hands and will pass you whatever user and pass they
type in.

With the HttpListener and basic authentication it provides the user
and password to you, you'll need to cast the context.Identity as a
HttpListenerBasicIdentity in order to see the password field. From
here you can check that against your own users that are internal to
your software or use API or new 2.0 classes to autheniticate against a
system or domain.

The only problem I've had that I am curious about, if they put in the
incorrect password you can set the status to 401 Unauthorized, but you
are not permitted to set the WWWAuthenticate HTTP header, so the
browser will not prompt them again, it just goes to a blank page or to
whatever content you've sent back. The other types, I'm currently
using NTLM, work as expected and will prompt a bad password 3 or 4
times before it fails.. but then do not give you the ability to provide
the error page.. so neither way have I been able to truly reproduce IIS
behavior. My next step will be trying to override some of the
Listeners functionality.

Nick Brookins
SAM Systems, Inc

Thanks for your input Nick,

Yes, the HttpListener's implementation is still far from well since it's
just a simple light wight component for accept HTTP request. And for the
authentication error, so far we haven't any good means to intercept it,
actually when hosting in IIS, the authentication error is also handled by
IIS and provide an exception screen rather than opened to our asp.net
extension...

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
From: nb*******@gmail.com
Newsgroups: microsoft.public.dotnet.framework.webservices
Subject: Re: Setting up HttpListener basic authentication
Date: 9 Jan 2006 13:23:29 -0800
Organization: http://groups.google.com
Lines: 26
Message-ID: <11**********************@g14g2000cwa.googlegroups .com>
References: <35**********************************@microsoft.co m>
<wS**************@TK2MSFTNGXA02.phx.gbl>
NNTP-Posting-Host: 64.199.1.169
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1136841815 7986 127.0.0.1 (9 Jan 2006 21:23:35
GMT)
X-Complaints-To: gr**********@google.com
NNTP-Posting-Date: Mon, 9 Jan 2006 21:23:35 +0000 (UTC)
In-Reply-To: <wS**************@TK2MSFTNGXA02.phx.gbl>
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;
.NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
Complaints-To: gr**********@google.com
Injection-Info: g14g2000cwa.googlegroups.com; posting-host=64.199.1.169;
posting-account=SXYE5wwAAAAtcbMjaSZZGoG7fvCnEnQd
Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!g14g2000c wa.googlegroups.com!not-fo
r-mail
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1330 1
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

That's actually not correct when it comes to basic auth. The other
types will authenticate against windows or domain users, but basic
leaves it in your hands and will pass you whatever user and pass they
type in.

With the HttpListener and basic authentication it provides the user
and password to you, you'll need to cast the context.Identity as a
HttpListenerBasicIdentity in order to see the password field. From
here you can check that against your own users that are internal to
your software or use API or new 2.0 classes to autheniticate against a
system or domain.

The only problem I've had that I am curious about, if they put in the
incorrect password you can set the status to 401 Unauthorized, but you
are not permitted to set the WWWAuthenticate HTTP header, so the
browser will not prompt them again, it just goes to a blank page or to
whatever content you've sent back. The other types, I'm currently
using NTLM, work as expected and will prompt a bad password 3 or 4
times before it fails.. but then do not give you the ability to provide
the error page.. so neither way have I been able to truly reproduce IIS
behavior. My next step will be trying to override some of the
Listeners functionality.

Nick Brookins
SAM Systems, Inc