38038

How to redirect a user to a different server and include HTTP basic authentication credentials?

I have a web application (C# - ASP.net) that needs to pass a user to a page on a remote Apache server using HTTP Basic Authentication. I need to be able to pass a user name and password to this server to allow users authenticated by my application to seamlessly use the other application without being prompted to enter credentials he doesn't have. The hand-off should be secure since both systems require SSL as long as the user name and password are not in client-side script. Is there a way to do this?

Answer1:

Basic authentication details are encoded in the request header named "Authorization" from the client. The header contains the base64 encoded result of "username:password".

e.g. Aladdin:open sesame = Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

There are more details on the Basic Access Auth wikipedia page.

For basic authentication, the Authorization header needs to be added to every request. Usually the browser will take care of this after the user has entered their credentials into the dialog presented by the browser. If you want to avoid having your users enter these credentials, then your ASP.net server will need to sit in between the user and the Apache server (acting as a reverse proxy) adding the auth headers to every request that it forwards on behalf of your users.

It is not possible to simply visit your server once and for it to add a "token" to the request then redirect to the apache server. This approach would be possible if you were using forms/cookies for authentication and your servers presented themselves to the user as within the same domain (e.g. asp.domain.com & apache.domain.com) then the auth cookie could be set on the parent domain (e.g. domain.com) and shared - see Forms Authentication across sub-domains.

Assuming that the basic auth scheme on the Apache server is not something you can easily change, it seems like the reverse proxy is the best option. In the reverse proxy code, the HttpWebRequest is the means to create each request to the apache server and add the additional authentication headers to it.

.net will deal with encoding the credentials in the proxied request using something like:

RemoteServer remoteServer = new RemoteServer(httpContext); HttpWebRequest request = remoteServer.GetRequest(); request.PreAuthenticate = true; request.Credentials = new NetworkCredential(UserName, SecurelyStoredPassword);

Answer2:

Try using the url format https://username:password@example.com

Answer3:

Only other thing I can think of - if the page doesnt force its way out, load a page of their site in a frame, send it data+ controls, via javascript so it sends the login and so on. Might be feasible.

Recommend

  • How to authenticate user name and password against Active Directory Federation Services (ADFS)?
  • Django: DRY principle and UserPassesTestMixin
  • How to call a procedure using NHibernate that returns result from multiple tables?
  • Efficient & Pythonic way of finding all possible sublists of a list in given range and the minim
  • Changing references to deprecated methods C++
  • Django return user model id with L
  • For loop with if condition on multiple R functions
  • SQLite connection strategies
  • R convert summary result (statistics with all dataframe columns) into dataframe
  • jQuery Orbit - How to make a Random Slideshow?
  • Laravel: Getting Session ID oddly truncates when using foreach
  • How to assign byte[] as a pointer in C#
  • TextToSpeech.setEngineByPackageName() triggers NullPointerException
  • revitapi ironpython ToRoom returns “indexer # object”
  • Access variable of ScriptContext using Nashorn JavaScript Engine (Java 8)
  • App restarts from wrong activity
  • Needing to do .toArray() to get output of mongodb .find() on key name not value
  • CakePHP 2.0.4 - findBy magic methods with conditions
  • Bad request using file_get_contents for PUT request in PHP
  • Django rest serializer Breaks when data exists
  • PHP - How to update data to MySQL when click a radio button
  • Is possible to count alias result on mysql
  • How to redirect a user to a different server and include HTTP basic authentication credentials?
  • Can I make an Android app that runs a web view in Chrome 39?
  • what is the difference between the asp.net mvc application and asp.net web application
  • Upload files with Ajax and Jquery
  • Apache 2.4 - remove | delete | uninstall
  • Numpy divide by zero. Why?
  • php design question - will a Helper help here?
  • using conditional logic : check if record exists; if it does, update it, if not, create it
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • Unit Testing MVC Web Application in Visual Studio and Problem with QTAgent
  • AngularJs get employee from factory
  • Codeigniter doesn't let me update entry, because some fields must be unique
  • Benchmarking RAM performance - UWP and C#
  • Getting error when using KSoap library to consume .NET web services
  • IndexOutOfRangeException on multidimensional array despite using GetLength check
  • LevelDB C iterator
  • Linking SubReports Without LinkChild/LinkMaster
  • Authorize attributes not working in MVC 4