Anonymous usser URL access testing issues
-
I've written a simple web app to test the URLs of our various internal applications to ensure none would allow anonymous login access. I thought all was working fine until another developer mentioned that one of the URLs should be accessible to anonymous users. We use Active directory logins/passwords and membership in order to provide/restrict access to certain pages and applications. When set to default credentials, I get no errors. When I set my network credentials to some made-up user, I get 401 errors, as expected for all URLs. For the URL in question that's accessible to internal anonymous (i.e. not logged-into-this-particular-app) users, I get the "401 access denied" message as well. Here are the main parts of the code:
NetworkCredential networkCredential = new NetworkCredential("stan", "abc123"); HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://www.SomeTestURLHere.com/default.aspx"); CookieContainer cookieContainer = new CookieContainer(); request.CookieContainer = cookieContainer; request.Credentials = networkCredential; using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) using (Stream dataStream = response.GetResponseStream()) using (StreamReader reader = new StreamReader(dataStream)) { // do work }This is all contained within a try-catch-finally block. With default credentials, I fall through into the "do work" section of the code. With the network credentials I set above, I get the "401" exception, which I would NOT expect for this particular URL since it's supposed to allow anonymous user access. So my question is: why am I getting the 401 message for this page? Thanks in advance for any assistance you can provide.---- Jboyd
-
I've written a simple web app to test the URLs of our various internal applications to ensure none would allow anonymous login access. I thought all was working fine until another developer mentioned that one of the URLs should be accessible to anonymous users. We use Active directory logins/passwords and membership in order to provide/restrict access to certain pages and applications. When set to default credentials, I get no errors. When I set my network credentials to some made-up user, I get 401 errors, as expected for all URLs. For the URL in question that's accessible to internal anonymous (i.e. not logged-into-this-particular-app) users, I get the "401 access denied" message as well. Here are the main parts of the code:
NetworkCredential networkCredential = new NetworkCredential("stan", "abc123"); HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://www.SomeTestURLHere.com/default.aspx"); CookieContainer cookieContainer = new CookieContainer(); request.CookieContainer = cookieContainer; request.Credentials = networkCredential; using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) using (Stream dataStream = response.GetResponseStream()) using (StreamReader reader = new StreamReader(dataStream)) { // do work }This is all contained within a try-catch-finally block. With default credentials, I fall through into the "do work" section of the code. With the network credentials I set above, I get the "401" exception, which I would NOT expect for this particular URL since it's supposed to allow anonymous user access. So my question is: why am I getting the 401 message for this page? Thanks in advance for any assistance you can provide.---- Jboyd
-
It does allow it if you come in from a web browser like internet explorer. This is within a company network so no one from outside can access the site, of course. The issue is you can log out of or into this particular internal site. When you log out of it you can still access this one page. When I try this using ASP.NET (HttpWebRequest) I get the error. Perhaps someone can answer this question: By setting my own "NetworkCredential" am I being looked at like I'm trying to access the internal page as though I'm an external user?
-
It does allow it if you come in from a web browser like internet explorer. This is within a company network so no one from outside can access the site, of course. The issue is you can log out of or into this particular internal site. When you log out of it you can still access this one page. When I try this using ASP.NET (HttpWebRequest) I get the error. Perhaps someone can answer this question: By setting my own "NetworkCredential" am I being looked at like I'm trying to access the internal page as though I'm an external user?
Here's a brief update after poking around a bit. I notice I get different behavior when I set "NetworkCredential" to my valid username and password then when I use "CredentialCache.DefaultCredentials". When I use "NetworkCredential", I can now access the URLs that allow "anonymous" access. But I now geet "401" errors with all other URLs. In short: a. Using "CredentialCache.DefaultCredentials" gives me access to all URLs b. Using "NetworkCredential" (with correct username and password) gives me access to URLs allowing "anonymous" access. Question: why do these behave differntly?