How to get password server side with basic authentication

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Tommaso Caldarola

    How to get password server side with basic authentication

    Book: "Building Secure ASP.NET Applications", at page 276 says:

    I'm speaking about .NET Remoting Security chapter.

    "With Basic Authentication the username and password are available to the server
    in clera text."

    Now, I get username in this way:

    System.Web.Http Context.Current .User.Identity. Name

    and how to get the password?

  • Nicholas Paldino [.NET/C# MVP]

    #2
    Re: How to get password server side with basic authentication

    Tommaso,

    At that point, I am kind of wondering, why do you want it? The user is
    authenticated at that point, and you can be assured that they have logged in
    correctly.


    --
    - Nicholas Paldino [.NET/C# MVP]
    - mvp@spam.guard. caspershouse.co m

    "Tommaso Caldarola" <ilbecchino@lci mitero.itwrote in message
    news:44fd9a1b$1 _1@x-privat.org...
    Book: "Building Secure ASP.NET Applications", at page 276 says:
    >
    I'm speaking about .NET Remoting Security chapter.
    >
    "With Basic Authentication the username and password are available to the
    server in clera text."
    >
    Now, I get username in this way:
    >
    System.Web.Http Context.Current .User.Identity. Name
    >
    and how to get the password?
    >

    Comment

    • Tommaso Caldarola

      #3
      Re: How to get password server side with basic authentication

      Nicholas Paldino [.NET/C# MVP] wrote:
      Tommaso,
      >
      At that point, I am kind of wondering, why do you want it? The user is
      authenticated at that point, and you can be assured that they have logged in
      correctly.
      >
      >
      If I put in client code

      IDictionary props = ChannelServices .GetChannelSink Properties(prox y);
      props["username"] = "dummyremotingu ser";
      props["password"] = "12345";

      and then I call proxy.Method()

      on the server side in host on IIS (where do I set basic authentication) I got:

      IPrincipal principal = System.Web.Http Context.Current .User;

      here I want to perform custom authentication on LDAP or Database, the user IS
      NOT AUTHENTICATED at this point, how do it? I need to know pasword too.




      Comment

      • Nicholas Paldino [.NET/C# MVP]

        #4
        Re: How to get password server side with basic authentication

        Tommaso,

        Actually, the user is authenticated, from the perspective of IIS. From
        the perspective of LDAP or Database, no, it is not.

        There are two solutions here. The first is to not always use different
        credentials when accessing the database or an LDAP. Rather, you should
        create an account under which your service runs, and then grant access to
        that service account. This actually improves scalability when working with
        databases, as the connections can be pooled. However, if you are putting
        different client credentials together for each connection to the database,
        you can't pool them.

        Of course, you would have to manage access to the database yourself, but
        it's a better alternative, IMO.

        The second option would be to use Windows authentication. Then you need
        to set IIS up to impersonate the user that is connected. Then, you can use
        integrated security to attach to the database and to LDAP.


        --
        - Nicholas Paldino [.NET/C# MVP]
        - mvp@spam.guard. caspershouse.co m

        "Tommaso Caldarola" <ilbecchino@lci mitero.itwrote in message
        news:44fda03b$2 _2@x-privat.org...
        Nicholas Paldino [.NET/C# MVP] wrote:
        >
        >Tommaso,
        >>
        > At that point, I am kind of wondering, why do you want it? The user
        >is authenticated at that point, and you can be assured that they have
        >logged in correctly.
        >>
        >>
        >
        If I put in client code
        >
        IDictionary props = ChannelServices .GetChannelSink Properties(prox y);
        props["username"] = "dummyremotingu ser";
        props["password"] = "12345";
        >
        and then I call proxy.Method()
        >
        on the server side in host on IIS (where do I set basic authentication) I
        got:
        >
        IPrincipal principal = System.Web.Http Context.Current .User;
        >
        here I want to perform custom authentication on LDAP or Database, the user
        IS NOT AUTHENTICATED at this point, how do it? I need to know pasword too.
        >
        >
        >
        >

        Comment

        • Willy Denoyette [MVP]

          #5
          Re: How to get password server side with basic authentication


          "Tommaso Caldarola" <ilbecchino@lci mitero.itwrote in message
          news:44fda03b$2 _2@x-privat.org...
          | Nicholas Paldino [.NET/C# MVP] wrote:
          |
          | Tommaso,
          | >
          | At that point, I am kind of wondering, why do you want it? The user
          is
          | authenticated at that point, and you can be assured that they have
          logged in
          | correctly.
          | >
          | >
          |
          | If I put in client code
          |
          | IDictionary props = ChannelServices .GetChannelSink Properties(prox y);
          | props["username"] = "dummyremotingu ser";
          | props["password"] = "12345";
          |
          | and then I call proxy.Method()
          |
          | on the server side in host on IIS (where do I set basic authentication) I
          got:
          |
          | IPrincipal principal = System.Web.Http Context.Current .User;
          |
          | here I want to perform custom authentication on LDAP or Database, the user
          IS
          | NOT AUTHENTICATED at this point, how do it? I need to know pasword too.
          |

          The client IS authenticated with IIS (and the SAM).

          Anyway, what you are looking for is called - Kerberos Protocol Transition ,
          a feature available in W2K3.

          Start reading these for more detailed info:

          Dans l’intégration de SQL Server CLR, vous pouvez emprunter l’identité de l’appelant dans l’authentification Windows à l’aide de la propriété SqlContext.WindowsIdentity.




          Willy.


          Comment

          Working...