HttpWebRequest authentication
-
I'm trying to figure out authentication using the HttpWebRequest class. When I try to connect to a resource that requires a password in IE, a dialog pops up where I enter that information. How can I implement the same behavior using HttpWebRequest? When I connect with that class, I receive a 401 not authorized error. Which is fine, but I can't figure out how to show the proper dialog. Thanks.
-
I'm trying to figure out authentication using the HttpWebRequest class. When I try to connect to a resource that requires a password in IE, a dialog pops up where I enter that information. How can I implement the same behavior using HttpWebRequest? When I connect with that class, I receive a 401 not authorized error. Which is fine, but I can't figure out how to show the proper dialog. Thanks.
If you get a 401, the correct procedure is to either pass credentials or prompt if you don't have them. So, lets say you have a while (or for) loop (it's good to terminate it at some point). If you get a 401, prompt the user with a
Formyou could easily create that asks for a username and password (don't forget to set thePasswordCharon the passwordTextBox). Then, create an instance of anICredentialsimplementation - likeNetworkCredentialswhich is provided in the .NET base class libraries - and assign that instance as yourHttpWebRequest.Credentialsproperty. You may want to keep that once you get a 200 (or something besides 401 or another error) response. If you're running on Windows XP or newer, you can use DPAPI to store the password, which is a Windows facility for storing network and Internet (including Passport) credentials. There's a pretty good article about it on MSDN at http://msdn.microsoft.com/library/en-us/dnnetsec/html/dpapiusercredentials.asp[^]. This isn't required for a solution, though, just more of a nicety for users (and alliviates the burden on you of securely caching passwords for remote resources if you choose to support it).Microsoft MVP, Visual C# My Articles
-
If you get a 401, the correct procedure is to either pass credentials or prompt if you don't have them. So, lets say you have a while (or for) loop (it's good to terminate it at some point). If you get a 401, prompt the user with a
Formyou could easily create that asks for a username and password (don't forget to set thePasswordCharon the passwordTextBox). Then, create an instance of anICredentialsimplementation - likeNetworkCredentialswhich is provided in the .NET base class libraries - and assign that instance as yourHttpWebRequest.Credentialsproperty. You may want to keep that once you get a 200 (or something besides 401 or another error) response. If you're running on Windows XP or newer, you can use DPAPI to store the password, which is a Windows facility for storing network and Internet (including Passport) credentials. There's a pretty good article about it on MSDN at http://msdn.microsoft.com/library/en-us/dnnetsec/html/dpapiusercredentials.asp[^]. This isn't required for a solution, though, just more of a nicety for users (and alliviates the burden on you of securely caching passwords for remote resources if you choose to support it).Microsoft MVP, Visual C# My Articles
Hmmm. The problem with that solution is that I really don't know what the server requires. The dialog that is displayed can be customized at the server level and I just want to display that one. Some will require the domain and some do not. I have no idea what to put on the form. The wininet dll just handles all of that for you. Isn't there a .NET equivalent?
-
Hmmm. The problem with that solution is that I really don't know what the server requires. The dialog that is displayed can be customized at the server level and I just want to display that one. Some will require the domain and some do not. I have no idea what to put on the form. The wininet dll just handles all of that for you. Isn't there a .NET equivalent?
The HTTP response will tell you what authentication is supported. That's the HTTP standard (most likely a different RFC - it's been a long time since I studied them). For example, Digest will also pass you a hashcode that you use with yours - can't remember off the top of my head how - and that you pass back to the server for verification and that it uses to verify the password (by performing the same hash and comparing). You can use some of the other classes in the
System.Netnamespace, such as theAuthenticationManager, which automatically registers handlers for basic, digest, negotiate, NTLM, and kerberos. Look at the docs for theAuthenticationManager(the actual class documentation, or overview) for an example. Some of these things are handled for you but you still have to tell theHttpWebRequestwhat the credentials are, which requires that you prompt. Based on theHttpWebResponse.StatusDescription, you could customize your dialog accordingly (providing the basic REALM or something like that).Microsoft MVP, Visual C# My Articles