Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS rewrite rule for basic auth on the querystring

I am trying to automatically log in users to an Xwiki install via basic auth. This is because help is stored in the wiki, but we want the retrieval process to be transparent to the user.

We push the user off to a url (via an <a> tag) like: http://username:[email protected]/xwiki/bin/view/Main?basicauth=1

This works fine in every browser except Internet Explorer (see: http://support.microsoft.com/kb/834489. Unfortunately, 80% of our user base uses Internet Explorer and it is not an option to have them type in the credentials manually.

Currently, we have IIS 7.5 sitting in front of Xwiki and proxying all requests to the Tomcat instance on another server. This works fine. To solve my problem, I thought I could use a IIS rewrite rule to turn a url like this:

http://xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

into this:

http://username:[email protected]/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

The idea being that IIS would substitute the _username/_password querystring parameters into the URL and pass it off to Tomcat, and Xwiki would ignore the extra parameters.

I have created a URL rewrite rule like:

<rule name="BasicAuthRewrite" enabled="true">
   <match url="https?://(.+)&amp;?_username=(.+)&amp;_password=(.+)" />
   <action type="Rewrite" url="http://{R:2}:{R:3}@xwiki.example.org/{R:1}" />
</rule>

When I go 'Test pattern' in IIS and supply my url, all the backreferences ({R:x}) match up to the data I want. However, when I visit the URL in my browser, the rewrite rule fails to invoke.

Is there any way I can achieve my desired behaviour?

like image 607
Erin Drummond Avatar asked Feb 28 '12 20:02

Erin Drummond


People also ask

Where are URL rewrite rules stored?

url rewriting - IIS Rewrite rule is stored in XML file that is deleted upon Web Publish - Stack Overflow. Stack Overflow for Teams – Start collaborating and sharing organizational knowledge.

What is rewrite rule in web config?

Rewrite rules is a powerful feature in IIS. Common tasks like redirecting www to non-www (or the other way around), implementing canonical URLs, redirecting to HTTPS, and similar tasks are documented right there in your Web. config file.


1 Answers

It is possible to do Basic authentication with URL rewrite on IIS. You should add the server variable HTTP_Authorization the value Basic followed by the username:password in base64. Remember to add the variable in the allowed variables

So for the user Aladdin with the password open sesame you the format would be Aladdin:open sesame and base64 encoded QWxhZGRpbjpvcGVuIHNlc2FtZQ==.

Which translates into Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

<rule name="SomeName" stopProcessing="true">
    <match url="url/to/match" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="http://www.redirecturl.com/" appendQueryString="true" />
    <serverVariables>
        <set name="HTTP_Authorization" value="Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" />
    </serverVariables>
</rule>

IIS Screenshot Authentication

like image 160
Jaco Avatar answered Oct 21 '22 08:10

Jaco