Basic Authenticationhttp://asp.netSun, 05 May 2013 19:44:58 GMTumbracoComments for Basic AuthenticationenComment Posted by subscihttp://asp.net/web-api/overview/security/basic-authenticationFri, 01 Feb 2013 04:15:51 GMT00000000-0000-0000-0000000018292Some missing details for the Basic Authentication with Custom Membership case that I needed to make this work follow.

Clearly a HttpClient (non-browser) requires an AuthenticationHeaderValue indicating the Basic scheme and the Base64 encoded username:password.

All IIS authentication for the web app should be disabled--go to IIS manager for this web app and go to authentication and disable all: anonymous, forms, basic, windows, impersonation.

I removed the <system.web><authentication> element in the web.config

It would be interesting to see an example with a Handler rather than a Module.

]]>Comment Posted by bernardjclarkhttp://asp.net/web-api/overview/security/basic-authenticationWed, 06 Mar 2013 21:39:39 GMT00000000-0000-0000-0000000018597Thank God for @subsci

There should be much better guidance as to how to configure IIS to make this work.

Microsoft seem hell bent on describing Web API security as something either done via Windows Authentication or by using Forms and a browser when absolutely no one is using Web API in that context.

Given that most security vulnerabilities occur through poor execution of best practice, Microsoft needs to offer clearer guidance on how to implement Authentication in Web API.

]]>Comment Posted by bernardjclarkhttp://asp.net/web-api/overview/security/basic-authenticationWed, 06 Mar 2013 21:41:17 GMT00000000-0000-0000-0000000018598Also - I didn't realize that the 'type' attribute (type="WebHostBasicAuth.Modules.BasicAuthHttpModule, BasicAuth" above) actually specifies the assembly and nor does it indicate where the resulting DLL needs to be placed.

My assembly was called "AuthModule" and so I needed to change the above attribute to type="WebHostBasicAuth.Modules.BasicAuthHttpModule, AuthModule" and the resulting DLL placed in the BIN folder of my Web API application.

This is not explained well in the guidance above.

]]>Comment Posted by leotohillhttp://asp.net/web-api/overview/security/basic-authenticationSat, 30 Mar 2013 23:28:23 GMT00000000-0000-0000-0000000018819Isn't something missing? Doesn't something need to set Reponse.StatusCode = 401 ?

]]>Comment Posted by RolyLanderhttp://asp.net/web-api/overview/security/basic-authenticationFri, 03 May 2013 19:25:58 GMT00000000-0000-0000-0000000019034test please Mike Wasson, how Basic Authentication with Custom Membership from fiddler?

]]>Comment Posted by RolyLanderhttp://asp.net/web-api/overview/security/basic-authenticationSun, 05 May 2013 00:17:29 GMT00000000-0000-0000-0000000019037con * Usar IIS Express funciona, pero en el IIS Local ya me da error de authentication... que configuracion me falta en IIS 8.... alguien sabe... por favor

]]>Comment Posted by RolyLanderhttp://asp.net/web-api/overview/security/basic-authenticationSun, 05 May 2013 19:44:58 GMT00000000-0000-0000-0000000019042solucion:(del problema que tenia) en IIS 8 : en la aplicacion clic en Autenticacion, deshabilitar todo excepto -> Autenticacion anónima(esta tiene q estar Habilitada) ... con esto deberia de funcionar --> Basic Authentication with Custom Membership

]]>