Credientials to an HTTP POST request.

[Guest]

I am trying to post an HTTP request to a site that requires a user name and
password. I am trying the following:

objRequest =
DirectCast(System.Net.HttpWebRequest.Create(urlString),
System.Net.HttpWebRequest)
Dim credentials As New CredentialCache()
credentials.Add(New Uri(urlString), "Basic", New
NetworkCredential("user", "password"))
'Dim credentials As NetworkCredential = New NetworkCredential()
objRequest.Credentials = credentials

But using Fiddler I don't see any of the security authorization header
information so I am wondering if the user name and password is getting
passed. First does the above look correct?

Thank you.

Kevin

 

[Vadym Stetsyak]

Hello, Kevin!

[skipped]

KB> But using Fiddler I don't see any of the security authorization header
KB> information so I am wondering if the user name and password is getting
KB> passed. First does the above look correct?

What Http Response do you get, when you issue your request?

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

 

[Guest]

I just get a web exception when I try to read the response.

 

[Vadym Stetsyak]

Hello, Kevin!

Did you check WebException.Response property?

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

 

[Guest]

The response is Nothing/null on the exception.

 

[Joerg Jooss]

Thus wrote Kevin,

I am trying to post an HTTP request to a site that requires a user
name and password. I am trying the following:

objRequest =
DirectCast(System.Net.HttpWebRequest.Create(urlString),
System.Net.HttpWebRequest)
Dim credentials As New CredentialCache()
credentials.Add(New Uri(urlString), "Basic", New
NetworkCredential("user", "password"))
'Dim credentials As NetworkCredential = New
NetworkCredential()
objRequest.Credentials = credentials
But using Fiddler I don't see any of the security authorization header
information so I am wondering if the user name and password is getting
passed. First does the above look correct?

Authorization headers are never being sent with the first request, only after
an initial challenge from the server. If you set HttpWebRequest.PreAuthenticate
to true, all subsequent requests after the first will contain Authorization
headers. If PreAuthenticate is set to false, there will be a challenge/response
exchange for each request to a protected resource.

Cheers,

 

[Guest]

Thank you very much for your time this information helps alot.

If PreAuthenticate is false then when are the Authentication headers set?
The challenge/response is against which resource? If it fails is the
application notified.

Thanks again.

Kevin

 

[Joerg Jooss]

Thus wrote Kevin,

Thank you very much for your time this information helps alot.

If PreAuthenticate is false then when are the Authentication headers
set?

After every HTTP 401 response. See http://msdn2.microsoft.com/en-us/library/system.net.httpwebrequest.preauthenticate.aspx.

The challenge/response is against which resource?

What do you mean by "against"?

If you access a protected resource on the server side (like a web page) without
credentials (as per HTTP Authorize header), the server will respond with
a 401 response, in which case the client resubmits the request including
the Authorize header. PreAuthenticate prevents this double roundtrip except
the first one that accesses a protected resource.

If it fails is
the application notified.

Sure, you'll get a WebException with Status set to ProtocolError and its
Response containing the HTTP error response.

Cheers,

 

[Guest]

Again thank you for your patience.

The documentation that you directed me to only gives an example of GET. Is a
POST handled differently?

When I create a NetworkCredential I give a user name and password (no
domain). I would like to manually authenticate this user name and password. I
don't want the OS, Active Directory, etc. to authicate these credentials.
That is what I mean by "against". I need to control what is authenticating
these credentials.

For this simple case there is no access to a protected resource. The
incoming data is tied to the POST and if the credentials match (are
authenticated) then the response will be a response to the POST. Can I expect
to get a PreAuthenticate event in the HttpApplication under these conditions?

Thanks again.

 

[Joerg Jooss]

Thus wrote Kevin,

Again thank you for your patience.

The documentation that you directed me to only gives an example of
GET. Is a POST handled differently?
No.

When I create a NetworkCredential I give a user name and password (no
domain). I would like to manually authenticate this user name and
password. I don't want the OS, Active Directory, etc. to authicate
these credentials. That is what I mean by "against". I need to control
what is authenticating these credentials.

But that's a different question, isn't it? Authentication happens on the
server side, but HttpWebRequest is a client side class. What you're really
asking is how to tap into IIS's Basic Authentication implementation to provide
your own authentication realm. I guess that requires your own Basic Authentication
HttpModule and bypassing IIS Basic Authentication completely.

For this simple case there is no access to a protected resource.

Whenever there is a need for authentication, there is a protected resource
;-)

The incoming data is tied to the POST and if the credentials match (are
authenticated) then the response will be a response to the POST. Can I
expect to get a PreAuthenticate event in the HttpApplication under
these conditions?

There's no PreAuthenticate event in HttpApplication, only AuthenticateRequest
and PostAuthenticateRequest. When you're running IIS with Basic Authentication
enabled, the user's identity (i.e. HttpContext.User.Identity) will be set
accordingly (at latest) when PostAuthenticateRequest fires.

Cheers,

 

[Guest]

Thank you again. I am starting to understand.

Adding the credentials to the HttpWebRequest does not seem to alter the flow
on the server side. The credentails are ignored and the request succeeds. I
guess my real question is, "Setting the credentials on the client request
doesn't seem to trigger any events on the server side. So what do I need to
do on the server side to require these credentials? How do I make a need for
authentication? And then once this need is created what events will be
generated on the server that will need to be responded to in order for the
request to succeed?"

Thanks again.

Kevin

 

[Joerg Jooss]

Thus wrote Kevin,

Thank you again. I am starting to understand.

Adding the credentials to the HttpWebRequest does not seem to alter
the flow on the server side. The credentails are ignored and the
request succeeds. I guess my real question is, "Setting the
credentials on the client request doesn't seem to trigger any events
on the server side. So what do I need to do on the server side to
require these credentials?
How do I make a need for authentication?

You have to configure IIS to apply Basic Authentication. But as I said, it's
handled completely inside IIS and is based on Windows Domains as realm.

And then once this need is created what events will be generated on
the server that will need to be responded to in order for the request
to succeed?"

In answered that in my previous post. There are AuthenticateRequest and PostAuthenticateRequest.

Cheers,