Hi all
I am picking away at the digest auth just now and i have placed the requires
authentication attribute on my handler method for post.
I have also written a concrete implementation fake of
IAuthenticationProvider, and have written a test using HttpWebRequest to try
and pick away at the digest until I crack it.
I have attached below the code im using for testing and the implementation
of IAuthenticationProvider. My issue is that I can see in fiddler that the
headers for the digest authorisation are being set (by OR i believe), but it
is always returns a 404.
In the test I am setting the same credentials on the request as are in the
fake auth provider.
I have a very strong feeling that I have missed something blatantly obvious.
David
public class AuthenticationProvider : IAuthenticationProvider
{
public Credentials GetByUsername(string p)
{
return new Credentials {Password="P@ssword", Username =
"Username"};
}
}
[TestFixture]
public class Class1
{
[Test]
public void Foo()
{
var uri = new Uri("http://localhost/mypostmethod");
var webRequest = (HttpWebRequest) WebRequest.Create(uri);
webRequest.Method = "POST";
webRequest.ContentType = "application/x-www-form-urlencoded";
webRequest.Accept =
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
var credCache = new CredentialCache();
credCache.Add(uri, "Digest", new NetworkCredential("Username",
"P@ssw0rd"));
webRequest.Credentials = credCache;
var postData =
HttpUtility.HtmlDecode("FromDate=5%2F20%2F2009&ToDate=10%2F20%2F2009&PagePa ths=%2Fpost%2F2008%2F12%2F11%2FHORN-Build-Server-Thank-you-Team-City%21.asp x&PagePaths=%2Fpost%2F2008%2F12%2F21%2FAnyone-need-a-shit-hot-CGIArtistIllu strator.aspx&PagePaths=%2Fpost%2F2009%2F01%2F29%2FMVCNET-RC-Full-Windsor-St ack-with-MVC-Contrib.aspx");
var byteData = Encoding.UTF8.GetBytes(postData);
webRequest.ContentLength = byteData.Length;
using (var stream = webRequest.GetRequestStream())
{
stream.Write(byteData, 0, byteData.Length);
}
string responseText;
using (var response = webRequest.GetResponse())
{
using (var reader = new
StreamReader(response.GetResponseStream()))
{
responseText = reader.ReadToEnd();
}
}
new
XmlToObjectLoaderBase<QualifiedVisitorsReport>().Load(responseText);
Debug.Write(responseText);
}
}
------ Test started: Assembly: Web.Specs.dll ------
TestCase 'Web.Specs.Class1.Foo' failed: System.Net.WebException : The remote
server returned an error: (404) Not Found.
at System.Net.HttpWebRequest.GetResponse()
Class1.cs(43,0): at Web.Specs.Class1.Foo()
0 passed, 1 failed, 0 skipped, took 31.37 seconds (NUnit 2.5.1).
2009/10/22 David Lawton <da...@davetheninja.net>
> Hi seb thanks for the detailed response. I think I have a more clear
> understanding now, and I also believe that digest is more than ample
> for what I'm doing as it will be running over https.
> I started implementing digest earlier, and believe I am getting close
> to getting it running. It hits the iauthentication provider but always
> returns a 404. Not sure exactly why as yet but I'll get to the bottom
> of it.
> Thanks again
> David
> Sent from my iPhon
> On 22 Oct 2009, at 19:30, "Sebastien Lambla" <s...@serialseb.com> wrote:
> > Yo all,
> > HTTP digest is the way to send relatively secure (non seeded pwd
> > hashes)
> > crendentials over HTTP. The problem with digest is that, while it's
> > more
> > secure than HTTP basic, it stills receives non-seeded pwds. That has
> > two
> > effects.
> > First, it's susceptible to dictionary attacks, so only reasonably long
> > passwords should be used over non-ssl transports.
> > Second, it requires your db to store the pwd in clear text or the
> > direct
> > hash, rather than a hash + seed. That means that you need to think
> > that in
> > case your db gets compromised, finding out the passwords of your
> > user base
> > is still subject to dictionary attacks. This can be mitigated for by
> > encrypting the column in sql 2008+, which closes the problem if
> > someone gets
> > hold of the mdf, but doesn't protect you against sql injection etc.
> > Digest is still better than Basic, but unless all your pwds are of a
> > reasonable size, i'd recommend using those over SSL only.
> > That said, the best way is probably to use your API key as the pwd
> > in digest
> > auth, and generate such key to be for example hash(pwd+seed) and
> > store that
> > at user account creation time. That's assuming you're storing only
> > hash(pwd+seed) and seed in your db.
> > I'm much less happy with most solutions that require custom http
> > headers for
> > api keys when http authentication already provides for a combination
> > username + secret. Add to the fact that every http toolkit out there
> > supports http authentication, it would be a shame not to use it.
> > As for windows authentication, you can still use that, but that's IIS
> > responsibility, not OR.
> > To answer the remaining question, you currently need to register an
> > IAuthenticationProvider, and it currently only supports clear-text pwd
> > storage.
> > Next version we'll make the authentication system more pluggable,
> > but right
> > now only digest is supported.
> > Seb
> > -----Original Message-----
> > From: openrasta@googlegroups.com [mailto:openrasta@googlegroups.com]
> > On
> > Behalf Of Dave the Ninja
> > Sent: 22 October 2009 07:52
> > To: OpenRasta
> > Subject: [openrasta] Re: API Key/Authorization/Authentication in
> > Open Rasta
> > Hi Barry
> > I had a look at your other thread earlier, and I have been hacking
> > away to figure it out.
> > Am I correct in assuming Digest Auth is the equivalent of Windows
> > Authentication?
> > I like the way it transports the password as MD5 (I think) encrypted
> > as I am not too keen on passing clear text passwords over http (POST).
> > I am currently trying to figure out how it validates the password -
> > however I am starting think I may be chasing ghosts and that your
> > example is the correct way forward.
> > David
> > On Oct 22, 2:43 pm, Barry Dahlberg <barry.dahlb...@gmail.com> wrote:
> >> I have a pipleline contributor which checks query strings for the key
> >> and either pushes a UserContext into the dependency resolver or
> >> returns an Unauthorised response. I then have an operation
> >> interceptor which runs later and checks that the current UserContext
> >> has permissions for the given handler. I'm using attributes to tag
> >> required permissions on the handlers. You can see part of it in this
> >> thread:
> > http://groups.google.com/group/openrasta/browse_thread/thread/
> > 5d38261...
> >> I haven't touched the IAuthenticationProvider at all, I'm not sure if
> >> it was intended to be a general thing or just for the digest auth,
> >> Seb?
--
"I am not able to rightly apprehend the kind of confusion of ideas that
could provoke such a question." -- Charles Babbage
