Asp Forum - Authentication not working on HTTP-POST using NetworkCredential - microsoft.public.dotnet.framework.aspnet.webservices

Patrick Fogarty

8/25/2003 5:50:00 PM

I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication as per RFC 2617
(http://www.faqs.org/rfcs/rf...). My attempts to authenticate are
failing. The server requires the header to be present with the request.
For security reasons, it will not reply in any way if the header is not
present.

More specifically, my attempts fail when attempting to attach a
'NetworkCredential' object to the 'Credentials' property of a
'HttpWebRequest' object. If I create the header manually, everything works
fine. When attempting to do it 'the Microsoft Way' no authentication
information is sent in the header, even if I set 'PreAuthenticate' = true.

What am I missing? Below are two examples. Each has the code to send the
request followed by the captured request header.

- Patrick

------------------------------------------------------------
<< the code that fails >>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

request.PreAuthenticate = true;
request.Credentials = new NetworkCredential("JoeBlow","MountainHo");

request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000

------------------------------------------------------------
<< the code that works>>

(( assume reqBytes and SomeURI already set ))

request = (HttpWebRequest) WebRequest.Create(SomeURI);

// 'GetManualAuthorization' written by me to generate RFC2617-compliant
basic authentication header
request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
"MountainHo"));

request.Timeout = 20 * 1000;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = reqBytes.Length;

Stream reqStream = request
reqStream.Write(reqBytes,0,reqBytes.Length);
reqStream.Close();

------------------------------
POST / HTTP/1.1
Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
Content-Type: application/x-www-form-urlencoded
Content-Length: 1718
Expect: 100-continue
Connection: Keep-Alive
Host: me:10000

6 Answers

Frank Drebin

8/25/2003 6:04:00 PM

I'm not saying this is the best way (I am wincing as I write this), but you
could set the URL as:

http://someuser:somepassword@myserver/somepage.aspx

that's a quick way to handle basic authentication... sorry for the crappy
post.. :o)

"Patrick Fogarty" <padraig_fogarty@spam.hotmail.no.com> wrote in message
news:evY7KFzaDHA.1272@TK2MSFTNGP12.phx.gbl...
>
> I am programming what is to be a web service client that will use an
> HTTP-POST to request and retrieve data. The remote server (written in
java
> for what it's worth) requires basic authentication as per RFC 2617
> (http://www.faqs.org/rfcs/rf...). My attempts to authenticate are
> failing. The server requires the header to be present with the request.
> For security reasons, it will not reply in any way if the header is not
> present.
>
> More specifically, my attempts fail when attempting to attach a
> 'NetworkCredential' object to the 'Credentials' property of a
> 'HttpWebRequest' object. If I create the header manually, everything
works
> fine. When attempting to do it 'the Microsoft Way' no authentication
> information is sent in the header, even if I set 'PreAuthenticate' = true.
>
> What am I missing? Below are two examples. Each has the code to send the
> request followed by the captured request header.
>
>
> - Patrick
>
> ------------------------------------------------------------
> << the code that fails >>
>
> (( assume reqBytes and SomeURI already set ))
>
> request = (HttpWebRequest) WebRequest.Create(SomeURI);
>
> request.PreAuthenticate = true;
> request.Credentials = new NetworkCredential("JoeBlow","MountainHo");
>
> request.Timeout = 20 * 1000;
> request.Method = "POST";
> request.ContentType = "application/x-www-form-urlencoded";
> request.ContentLength = reqBytes.Length;
>
> Stream reqStream = request
> reqStream.Write(reqBytes,0,reqBytes.Length);
> reqStream.Close();
>
> ------------------------------
> POST / HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 1718
> Expect: 100-continue
> Connection: Keep-Alive
> Host: me:10000
>
>
>
> ------------------------------------------------------------
> << the code that works>>
>
> (( assume reqBytes and SomeURI already set ))
>
> request = (HttpWebRequest) WebRequest.Create(SomeURI);
>
> // 'GetManualAuthorization' written by me to generate RFC2617-compliant
> basic authentication header
> request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
> "MountainHo"));
>
>
> request.Timeout = 20 * 1000;
> request.Method = "POST";
> request.ContentType = "application/x-www-form-urlencoded";
> request.ContentLength = reqBytes.Length;
>
> Stream reqStream = request
> reqStream.Write(reqBytes,0,reqBytes.Length);
> reqStream.Close();
>
> ------------------------------
> POST / HTTP/1.1
> Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 1718
> Expect: 100-continue
> Connection: Keep-Alive
> Host: me:10000
>
>
>

Feroze [MSFT]

8/27/2003 1:36:00 AM

That will not work. The Authinfo from URLs is not used.

Unfortunately the only way to get your situation to work is to add the
authorization header manually. You can do this by doing a Convert.ToBase64()
of username:password string. And add that as an authorization header to the
base webrequest:

string authorization = Convert.ToBase64String(username + ":" +
password);
request.Headers["Authorization"] = "basic " + authorization;

The reason you have to do this is that HttpWebRequest will not send a
credential unless the server challenges with a 401 first.

--
Remove "user" from the email address to reply to the author.

This posting is provided "AS IS" with no warranties, and confers no rights

Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cp...

"Frank Drebin" <noemail@imsickofspam.com> wrote in message
news:Fcs2b.33228$Vx2.14462121@newssvr28.news.prodigy.com...
> I'm not saying this is the best way (I am wincing as I write this), but
you
> could set the URL as:
>
> http://someuser:somepassword@myserver/somepage.aspx
>
> that's a quick way to handle basic authentication... sorry for the crappy
> post.. :o)
>
> "Patrick Fogarty" <padraig_fogarty@spam.hotmail.no.com> wrote in message
> news:evY7KFzaDHA.1272@TK2MSFTNGP12.phx.gbl...
> >
> > I am programming what is to be a web service client that will use an
> > HTTP-POST to request and retrieve data. The remote server (written in
> java
> > for what it's worth) requires basic authentication as per RFC 2617
> > (http://www.faqs.org/rfcs/rf...). My attempts to authenticate
are
> > failing. The server requires the header to be present with the request.
> > For security reasons, it will not reply in any way if the header is not
> > present.
> >
> > More specifically, my attempts fail when attempting to attach a
> > 'NetworkCredential' object to the 'Credentials' property of a
> > 'HttpWebRequest' object. If I create the header manually, everything
> works
> > fine. When attempting to do it 'the Microsoft Way' no authentication
> > information is sent in the header, even if I set 'PreAuthenticate' =
true.
> >
> > What am I missing? Below are two examples. Each has the code to send
the
> > request followed by the captured request header.
> >
> >
> > - Patrick
> >
> > ------------------------------------------------------------
> > << the code that fails >>
> >
> > (( assume reqBytes and SomeURI already set ))
> >
> > request = (HttpWebRequest) WebRequest.Create(SomeURI);
> >
> > request.PreAuthenticate = true;
> > request.Credentials = new NetworkCredential("JoeBlow","MountainHo");
> >
> > request.Timeout = 20 * 1000;
> > request.Method = "POST";
> > request.ContentType = "application/x-www-form-urlencoded";
> > request.ContentLength = reqBytes.Length;
> >
> > Stream reqStream = request
> > reqStream.Write(reqBytes,0,reqBytes.Length);
> > reqStream.Close();
> >
> > ------------------------------
> > POST / HTTP/1.1
> > Content-Type: application/x-www-form-urlencoded
> > Content-Length: 1718
> > Expect: 100-continue
> > Connection: Keep-Alive
> > Host: me:10000
> >
> >
> >
> > ------------------------------------------------------------
> > << the code that works>>
> >
> > (( assume reqBytes and SomeURI already set ))
> >
> > request = (HttpWebRequest) WebRequest.Create(SomeURI);
> >
> > // 'GetManualAuthorization' written by me to generate RFC2617-compliant
> > basic authentication header
> > request.Headers.Add("Authorization", GetManualAuthorization("JoeBlow",
> > "MountainHo"));
> >
> >
> > request.Timeout = 20 * 1000;
> > request.Method = "POST";
> > request.ContentType = "application/x-www-form-urlencoded";
> > request.ContentLength = reqBytes.Length;
> >
> > Stream reqStream = request
> > reqStream.Write(reqBytes,0,reqBytes.Length);
> > reqStream.Close();
> >
> > ------------------------------
> > POST / HTTP/1.1
> > Authorization: BASIC Sm9lQmxvdzpNb3VudGFpbkhv
> > Content-Type: application/x-www-form-urlencoded
> > Content-Length: 1718
> > Expect: 100-continue
> > Connection: Keep-Alive
> > Host: me:10000
> >
> >
> >
>
>

China Blue Veins

3/20/2010 12:39:00 AM

In article <a7ba7$4ba3c5f8$4107e27c$19046@news.flashnewsgroups.com>,
"Bob" <no@email.address> wrote:

> "All the Tea in China Blue" <chine.bleu@yahoo.com> wrote in message
> news:chine.bleu-D0BE9F.11343819032010@news.eternal-september.org...
> > In article <310af$4ba3c14d$4107e27c$17661@news.flashnewsgroups.com>,
> > "Bob" <no@email.address> wrote:
> >
> >> The Republicans may be incompetent, but the Democrats are
> >> morally repugnant.
> >
> > Do you enjoy paying drug companies thanks to Bush's prescription coverage?
>
> I have pretty good drug coverage, which has nothing
> to do with Medicare Part D. Is that what you're talking
> about? What I would like to see in health care reform
> is a law that forced American drug companies to sell
> drugs to foreign entities at a price equal to or higher
> than they sell to customers in America. If that price is
> above those socialist style nations' limits, and they won't
> pay the American rate, they don't get the drugs. I don't
> like Americans subsidizing low drug prices in other nations.

So is that a yes or a no?

--
Damn the living - It's a lovely life. I'm whoever you want me to be.
Silver silverware - Where is the love? At least I can stay in character.
Oval swimming pool - Where is the love? Annoying Usenet one post at a time.
Damn the living - It's a lovely life. We support you, Sarah.

China Blue Veins

3/20/2010 12:41:00 AM

In article <4ba3fc9a$0$1622$c5fe31e7@read01.usenet4all.se>,
Sid6 <F@invalid.invalid> wrote:

> On 3/19/2010 5:51 PM, JayPee Vee wrote:
> > On 19 Mrz., 19:43, "Bob"<n...@email.address> wrote:
> >> "All the Tea in China Blue"<chine.b...@yahoo.com> wrote in
> >> messagenews:chine.bleu-D0BE9F.11343819032010@news.eternal-september.org...
> >>
> >>> In article<310af$4ba3c14d$4107e27c$17...@news.flashnewsgroups.com>,
> >>> "Bob"<n...@email.address> wrote:
> >>
> >>>> The Republicans may be incompetent, but the Democrats are
> >>>> morally repugnant.
> >>
> >>> Do you enjoy paying drug companies thanks to Bush's prescription
> >>> coverage?
> >>
> >> I have pretty good drug coverage,
> >
> > What for Americans who don't?
> > Fuck them, right boycott bob?
>
> THEY SHOULD WORK AND BUY BETTER COVERAGE. OR DO WITHOUT. UNLESS THE R
> DUMBOCRATS THEN THEY CAN GET THE G0VT TO STEAL IT

How do you feel about Bush's Africa AIDS initiatives, to get Americans to pay
drug companies instead of the Africans who are too poor?

--
Damn the living - It's a lovely life. I'm whoever you want me to be.
Silver silverware - Where is the love? At least I can stay in character.
Oval swimming pool - Where is the love? Annoying Usenet one post at a time.
Damn the living - It's a lovely life. We support you, Sarah.

Jericho

3/20/2010 2:26:00 AM

"All the Tea in China Blue" <chine.bleu@yahoo.com> wrote in message
news:chine.bleu-B5AD2B.17385019032010@news.eternal-september.org...
> In article <a7ba7$4ba3c5f8$4107e27c$19046@news.flashnewsgroups.com>,
> "Bob" <no@email.address> wrote:
>
>> "All the Tea in China Blue" <chine.bleu@yahoo.com> wrote in message
>> news:chine.bleu-D0BE9F.11343819032010@news.eternal-september.org...
>> > In article <310af$4ba3c14d$4107e27c$17661@news.flashnewsgroups.com>,
>> > "Bob" <no@email.address> wrote:
>> >
>> >> The Republicans may be incompetent, but the Democrats are
>> >> morally repugnant.
>> >
>> > Do you enjoy paying drug companies thanks to Bush's prescription
>> > coverage?
>>
>> I have pretty good drug coverage, which has nothing
>> to do with Medicare Part D. Is that what you're talking
>> about? What I would like to see in health care reform
>> is a law that forced American drug companies to sell
>> drugs to foreign entities at a price equal to or higher
>> than they sell to customers in America. If that price is
>> above those socialist style nations' limits, and they won't
>> pay the American rate, they don't get the drugs. I don't
>> like Americans subsidizing low drug prices in other nations.
>
> So is that a yes or a no?

Be more specific in your question.

China Blue Veins

3/20/2010 3:58:00 AM

In article <32522$4ba4328b$4107e27c$1099@news.flashnewsgroups.com>,
"Bob" <no@email.address> wrote:

> "All the Tea in China Blue" <chine.bleu@yahoo.com> wrote in message
> news:chine.bleu-B5AD2B.17385019032010@news.eternal-september.org...
> > In article <a7ba7$4ba3c5f8$4107e27c$19046@news.flashnewsgroups.com>,
> > "Bob" <no@email.address> wrote:
> >
> >> "All the Tea in China Blue" <chine.bleu@yahoo.com> wrote in message
> >> news:chine.bleu-D0BE9F.11343819032010@news.eternal-september.org...
> >> > In article <310af$4ba3c14d$4107e27c$17661@news.flashnewsgroups.com>,
> >> > "Bob" <no@email.address> wrote:
> >> >
> >> >> The Republicans may be incompetent, but the Democrats are
> >> >> morally repugnant.
> >> >
> >> > Do you enjoy paying drug companies thanks to Bush's prescription
> >> > coverage?
> >>
> >> I have pretty good drug coverage, which has nothing
> >> to do with Medicare Part D. Is that what you're talking
> >> about? What I would like to see in health care reform
> >> is a law that forced American drug companies to sell
> >> drugs to foreign entities at a price equal to or higher
> >> than they sell to customers in America. If that price is
> >> above those socialist style nations' limits, and they won't
> >> pay the American rate, they don't get the drugs. I don't
> >> like Americans subsidizing low drug prices in other nations.
> >
> > So is that a yes or a no?
>
> Be more specific in your question.

So it is a no except because of your compulsive need to kiss Bush's pimpled
butt, it comes out as a yes.

--
Damn the living - It's a lovely life. I'm whoever you want me to be.
Silver silverware - Where is the love? At least I can stay in character.
Oval swimming pool - Where is the love? Annoying Usenet one post at a time.
Damn the living - It's a lovely life. We support you, Sarah.

microsoft.public.dotnet.framework.aspnet.webservices

Authentication not working on HTTP-POST using NetworkCredential

Patrick Fogarty

Frank Drebin

Feroze [MSFT]

China Blue Veins

China Blue Veins

Jericho

China Blue Veins

x Login to ForumsZone