ASP.Net - Using Basic Authentication without having Windows Users

Question

We have an ASP.Net web application running on IIS6 that manages its own database of users.

The site itself just allows anonymous access and all authentication/security is managed using our application itself.

We have a page that contains an HTML table of data that we import into Excel and is then used for Reporting purposes. The page currently has no security implemented.

We need to add security to this page so that should these spreadsheets fall into the wrong hands then the data cannot be "Refreshed" without supplying a username / password.

If I set this page to not allow Anonymouse access then I can use Basic/Windows authentication with Windows Users in order to secure this page. Then when Excel refreshes the data the password dialog box pops up.

The problem is that I need to be able to secure this page based on the Users within our database and they will not be Windows users. I also need to do it in such a way that allows Excel to manage the authentication which excludes any Form based authentication.

Anyone got any ideas? Is it possible to get IIS to look elsewhere for it's Basic Authentication?

Answer 1

Ok, so I've found two solutions to this problem. One thanks to Zhaph - Ben Duguid's answer which is an HttpModule that allows ASP.Net to fully manage the authentication.

The second solution, and the one that I am going with, is thanks to this question/answer.

HTTP Authentication (Basic or Digest) in ASP Classic via IIS

I've stripped this down and have a simple test harness that seems to be working well. In this example, instead of a database call, it merely checks that the username and password match and considers that authenticated.

using System;
using System.Text;

namespace AuthenticationTests
{
    public partial class _Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            string authorisationHeader = Request.ServerVariables["HTTP_AUTHORIZATION"];

            if (authorisationHeader != null && authorisationHeader.StartsWith("Basic ", StringComparison.InvariantCultureIgnoreCase))
            {
                string authorizationParameters = Encoding.Default.GetString(Convert.FromBase64String(authorisationHeader.Substring("Basic ".Length)));
                string userName = authorizationParameters.Split(':')[0];
                string password = authorizationParameters.Split(':')[1];

                if (userName == password) //Perform your actual "login" check here.
                {
                    //Authorised!
                    //Page loads as normal.
                }
                else
                {
                    Unauthorised();
                }
            }
            else
            {
                Unauthorised();
            }
        }

        private void Unauthorised()
        {
            Response.AddHeader("WWW-Authenticate", "Basic");
            Response.Status = "401 Unauthorized";
            Response.End();
        }
    }
}

Answer 2

As you've got a custom database of users, I'd recommend looking at building a quick membership provider that talks to your database schema.

MSDN has a good example on "How to: Sample Membership Provider".

You can then use the standard access control mechanisms of ASP.NET to lock down the page, require authentication, etc, along with controls like Login, LoginStatus and others to provide much of the UI you need.

---

Edit to add

A quick search found the following, which might help:

Web Service Security - Basic HTTP Authentication without Active Directory

Where Greg Reinacker presents "a fully working sample in 100% managed code demonstrating the use of HTTP Basic authentication, using a separate credential store (in this case, a XML file, although this would be easy to change to a database or LDAP store)."