Custom Authentication

[SirPyros]

I am implementing some custom authentication for an intranet app I am
building for my company. It is all done and working but I was wondering
if anyone knows if there are any downsides in terms of speed and
scalability in making your own authentication. Obviously if it is badly
coded you will have perfomance issues but if anyone knows of any common
pitfalls or any information they can share on the matter it will be
greatly appreciated.

[Shaun Wilde]

Can you explain more about your custom authentication?

Do you mean username and password? or something else?

Shaun

"SirPyros" wrote:

> I am implementing some custom authentication for an intranet app I am
> building for my company. It is all done and working but I was wondering
> if anyone knows if there are any downsides in terms of speed and
> scalability in making your own authentication. Obviously if it is badly
> coded you will have perfomance issues but if anyone knows of any common
> pitfalls or any information they can share on the matter it will be
> greatly appreciated.
>
>

[SirPyros]

its an ihttp module which handles the authenticaterequest event. It's
similar to forms authentication, but I added better role checking, and
the permissions don't have to be in the web.config, I populate a class
with all of my page permissions and load it into application variable.
Then when user tries to go to a page it sees if page is restricted , if
it is it checks if user is authenticated and then checks if the user
belongs to a role that can access this page.

[Shaun Wilde]

It sounds similar to what we do where I get the users permissions from the
database

and is also similar to the samples presented by IBuySpy and dotnetnuke

we build the permissions and then use the IsInRole method of a class whose
name escapes me at the moment


"SirPyros" <SirPyros@hotmail.com> wrote in message
news:1112824872.518367.69180@f14g2000cwb.googlegro ups.com...

> its an ihttp module which handles the authenticaterequest event. It's
> similar to forms authentication, but I added better role checking, and
> the permissions don't have to be in the web.config, I populate a class
> with all of my page permissions and load it into application variable.
> Then when user tries to go to a page it sees if page is restricted , if
> it is it checks if user is authenticated and then checks if the user
> belongs to a role that can access this page.
>

[casper]

I'm building an application where external applications can download
files from. The external application makes a webrequest with credential
to my application. Before returning the file as a stream I need to
check username and password of the request. Usernames/passwords are
stored in a sql server.
How do I retrieve the username and password from the webrequest?

/casper

[Joe Kaplan \(MVP - ADSI\)]

The transport level security stuff is designed to work with Windows
authentication, not custom authentication. It is intended to plug into the
auth mechanisms supported by IIS, not custom protocols.

That said, if you really must use the CredentialCache with HttpWebRequest,
you will essentially want to implement your own Basic authentication
protocol as you'll probably need plaintext passwords, right?

Essentially, you would disable authentication in IIS (set to anonymous).
Then, you would implement an HTTP module that handles the BeginRequest
method and checks for the presense of a Basic authentication header. If one
is not present, you would set the status code to 401 and add the proper
www-authenticate header to the return response and call CompleteRequest.

Then, in a separate event handler for the module (AuthenticateRequest), you
would read the basic authentication header, extract user name and password
and authenticate against your data source as appropriate. If the user is
authenticated, you would create some kind of a GenericPrincipal for the user
and associate it with the HttpContext.User property. If not, you would send
it back again.

Then, in web.config, you would set up authorization to only allow
authenticated users, and you should be all set.

I'd suggest reading up on basic authentication in the RFC spec and doing
some network or http header sniffing so you can see how it works and what
the headers look like.

You will also need to decide whether to lockout accounts after too many bad
password attempts and whether to allow more than X attempts to authenticate
a certain user in a certain period of time. A lot of this depends on how
secure you need this to be and how resistant to hacking you want to make it.

Best of luck,

Joe K.
"casper" <casper.skovgaard@gmail.com> wrote in message
news:1115886934.112457.283110@o13g2000cwo.googlegr oups.com...

> I'm building an application where external applications can download
> files from. The external application makes a webrequest with credential
> to my application. Before returning the file as a stream I need to
> check username and password of the request. Usernames/passwords are
> stored in a sql server.
> How do I retrieve the username and password from the webrequest?
>
> /casper
>

[casper]

Hi Joe,

thanks for the answer, it helped me a lot.

Based on your answer I found this site:
[url]http://www.eggheadcafe.com/articles/20030701.asp[/url]
and solved the problem.

Best regards
Casper

[Joe Kaplan \(MVP - ADSI\)]

Good deal. Glad to help,

Joe K.

"casper" <casper.skovgaard@gmail.com> wrote in message
news:1115982042.240605.185560@g43g2000cwa.googlegr oups.com...

> Hi Joe,
>
> thanks for the answer, it helped me a lot.
>
> Based on your answer I found this site:
> [url]http://www.eggheadcafe.com/articles/20030701.asp[/url]
> and solved the problem.
>
> Best regards
> Casper
>