ASP.Net Web API - Authorization header blank

Question

I am having to re-write an existing REST API using .NET (originally written with Ruby). From the client's perspective, it has to work exactly the same way as the old API - i.e. the client code mustn't need to change. The current API requires Basic Authentication. So to call the old API, the following works perfectly:-

        var wc = new System.Net.WebClient();
        var myCache = new CredentialCache();
        myCache.Add(new Uri(url), "Basic", new NetworkCredential("XXX", "XXX"));
        wc.Credentials = myCache;
        var returnBytes = wc.DownloadData("http://xxxx");

(I have had to ommit the real URL / username / password etc for security reasons).

Now I am writing the new API using ASP.Net Web API with MVC4. I have a weird problem and cannot find anybody else with exactly the same problem. In order to support Basic Authentication, I have followed the guidelines here:

http://sixgun.wordpress.com/2012/02/29/asp-net-web-api-basic-authentication/

One thing, I put the code to "hook in the handler" in the Global.asax.cs file in the Application_Start() event (that wasn't explained so I guessed).

Anyway, if I call my API (which I have deployed in IIS) using the above code, the Authorization header is always null, and the above fails with 401 Unauthorized. However, if I manually set the header using this code, it works fine - i.e. the Authorization header now exists and I am able to Authenticate the user.

    private void SetBasicAuthHeader(WebClient request, String userName, String userPassword)
    {
        string authInfo = userName + ":" + userPassword;
        authInfo = Convert.ToBase64String(Encoding.Default.GetBytes(authInfo));
        request.Headers["Authorization"] = "Basic " + authInfo;
    }
   .......
    var wc = new System.Net.WebClient();
    SetBasicAuthHeader(request, "XXXX", "XXXX");
    var returnBytes = wc.DownloadData("http://xxxx");

Although that works, it's no good to me because existing users of the existing API are not going to be manually setting the header.

Reading up on how Basic Authentication works, the initial request is meant to be anonymous, then the client is returned 401, then the client is meant to try again. However if I put a break point in my code, it will never hit the code again in Antony's example. I was expecting my breakpoint to be hit twice.

Any ideas how I can get this to work?

Kurt S · Accepted Answer · 2012-04-19 00:44:09Z

You're expecting the right behavior. System.Net.WebClient does not automatically include the Authorization headers upon initial request. It only sends them when properly challenged by a response, which to my knowledge is a 401 status code and a proper WWW-Authenticate header. See here and here for further info.

I'm assuming your basic authentication handler is not returning the WWW-Authenticate header and as such WebClient never even attempts to send the credentials on a second request. You should be able to watch this in Fiddler or a similar tool.

If your handler did something like this, you should witness the WebClient approach working:

//if is not authenticated or Authorization header is null
return base.SendAsync(request, cancellationToken).ContinueWith(task =>
    {
        var response = task.Result;
        response.StatusCode = HttpStatusCode.Unauthorized;
        response.Headers.Add("WWW-Authenticate", "Basic realm=\"www.whatever.com\"");
        return response;
    });

//else (is authenticated)
return base.SendAsync(request, cancellationToken);

As you noticed, if you include the Authorization headers on every request (like you did in your alternative approach) then your handler already works as is. So it may be sufficient - it just isn't for WebClient and other clients that operate in the same way.

Collectives™ on Stack Overflow

ASP.Net Web API - Authorization header blank

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related