Retrieving username/password from HTTP Authentication in webservice

I have a webservice which receives a post with the user name/password in the headers:

POST /reporting/test.asmx/user_reply? HTTP/1.1

Authorization: Basic Z2lsbGlhbjpnaWxsaWFu

Host: 10.1.1.88:666

Pragma: no-cache

Accept: */*

Content-Length: 141

Content-Type: application/x-www-form-urlencoded

id=3130890&msg=8d62409c2202b238ce09be5a09254607
HTTP/1.1 100 Continue

Server: Microsoft-IIS/5.1

Date: Wed, 19 Nov 2008 23:16:08 GMT

X-Powered-By: ASP.NET

I can retrieve the 'id' and 'msg' values from the query string by doing something like

string id = this.Context.Request.QueryString["id"];

but i don't know how to retrieve the user name/password values from the post.

Can some please help ?

 

 

 

0
ripneet
11/20/2008 11:49:53 PM
asp.net.security 27051 articles. 1 followers. Follow

10 Replies
587 Views

Similar Articles

[PageSpeed] 58

 Hi,

 What are you exactly trying to retrieve, is it the 

Authorization: Basic Z2lsbGlhbjpnaWxsaWFu

text? or something else?

 Thanks,

 Auschucky

0
auschucky
11/21/2008 4:36:10 AM

auschucky:

What are you exactly trying to retrieve, is it the 

Authorization: Basic Z2lsbGlhbjpnaWxsaWFu

text? or something else?



yes .. i want to retrieve the Z2lsbGlhbjpnaWxsaWFu text but can't figure our how to

thanks..
0
ripneet
11/21/2008 5:30:36 AM

Have you tried using this:

this.Context.Request.Headers["Authorization"]

I can't try it on my machine but it should work.

0
auschucky
11/21/2008 5:35:38 AM

auschucky:
this.Context.Request.Headers["Authorization"]
 

I tried it, but it didn't work. I don't think the username:password hash is actually included in the headers..

0
ripneet
11/24/2008 1:21:53 AM

That's interesting, it appears to be surrounded by headers.

Can you turn on the trace to see where the information is coming in?

0
auschucky
11/24/2008 1:25:37 AM

 ok.. i'm fairly new to .NET but i managed to get the trace working.

The post recieved by the webservice was:

POST /reporting/mobile.asmx/sms_reply? HTTP/1.1

Authorization: Basic Z2lsbGlhbjpnaWxsaWFu

Host: 10.1.1.88:666

Pragma: no-cache

Accept: */*

Content-Length: 141

Content-Type: application/x-www-form-urlencoded



api_id=3130890&apiMsgId=7b5874cfb9ee785901bf348310b8d14c&cliMsgId=&timestamp=1227498223&to=61433835091&from=m-View&status=004&charge=0.800000

 

And the trace details from the webmethod is :

Request Details

Session Id:
Request Type:POST
Time of Request:24/11/2008 2:43:46 PMStatus Code:200
Request Encoding:Unicode (UTF-8)Response Encoding:Unicode (UTF-8)

Trace Information

CategoryMessageFrom First(s)From Last(s)

Control Tree

Control UniqueIDTypeRender Size Bytes (including children)ViewState Size Bytes (excluding children)ControlState Size Bytes (excluding children)

Session State

Session KeyTypeValue

Application State

Application KeyTypeValue

Request Cookies Collection

NameValueSize

Response Cookies Collection

NameValueSize

Headers Collection

NameValue
Pragmano-cache
Content-Length141
Content-Typeapplication/x-www-form-urlencoded
Accept*/*
Host10.1.1.88:666
X-Rewrite-URL/reporting/mobile.asmx/sms_reply?

Form Collection

NameValue
api_id3130890
apiMsgId7b5874cfb9ee785901bf348310b8d14c
cliMsgId 
timestamp1227498223
to61433835091
fromm-View
status004
charge0.800000

Querystring Collection

NameValue

Server Variables

NameValue
ALL_HTTPHTTP_PRAGMA:no-cache HTTP_CONTENT_LENGTH:141 HTTP_CONTENT_TYPE:application/x-www-form-urlencoded HTTP_ACCEPT:*/* HTTP_HOST:10.1.1.88:666 HTTP_X_REWRITE_URL:/reporting/mobile.asmx/sms_reply?
ALL_RAWPragma: no-cache Content-Length: 141 Content-Type: application/x-www-form-urlencoded Accept: */* Host: 10.1.1.88:666 X-Rewrite-URL: /reporting/mobile.asmx/sms_reply?
APPL_MD_PATH/LM/W3SVC/1/Root/reporting
APPL_PHYSICAL_PATHC:\Inetpub\wwwroot\reporting\
AUTH_TYPE 
AUTH_USER 
AUTH_PASSWORD 
LOGON_USER 
REMOTE_USER 
CERT_COOKIE 
CERT_FLAGS 
CERT_ISSUER 
CERT_KEYSIZE 
CERT_SECRETKEYSIZE 
CERT_SERIALNUMBER 
CERT_SERVER_ISSUER 
CERT_SERVER_SUBJECT 
CERT_SUBJECT 
CONTENT_LENGTH141
CONTENT_TYPEapplication/x-www-form-urlencoded
GATEWAY_INTERFACECGI/1.1
HTTPSoff
HTTPS_KEYSIZE 
HTTPS_SECRETKEYSIZE 
HTTPS_SERVER_ISSUER 
HTTPS_SERVER_SUBJECT 
INSTANCE_ID1
INSTANCE_META_PATH/LM/W3SVC/1
LOCAL_ADDR10.1.1.110
PATH_INFO/reporting/mobile.asmx/sms_reply
PATH_TRANSLATEDC:\Inetpub\wwwroot\reporting\mobile.asmx
QUERY_STRING 
REMOTE_ADDR196.5.254.33
REMOTE_HOST196.5.254.33
REMOTE_PORT45191
REQUEST_METHODPOST
SCRIPT_NAME/reporting/mobile.asmx
SERVER_NAME10.1.1.88
SERVER_PORT80
SERVER_PORT_SECURE0
SERVER_PROTOCOLHTTP/1.1
SERVER_SOFTWAREMicrosoft-IIS/5.1
URL/reporting/mobile.asmx
HTTP_PRAGMAno-cache
HTTP_CONTENT_LENGTH141
HTTP_CONTENT_TYPEapplication/x-www-form-urlencoded
HTTP_ACCEPT*/*
HTTP_HOST10.1.1.88:666
HTTP_X_REWRITE_URL/reporting/mobile.asmx/sms_reply?

 

0
ripneet
11/24/2008 3:55:35 AM

Have you checked out this article?

http://forums.asp.net/t/1172902.aspx

0
auschucky
11/24/2008 4:54:33 AM

Hi ripneet,

Have you tried the way mentioned by auschucky? It seems strange. Actually, it can be achieved by using Context.Request.Headers["Authorization"] in my test. How do you access the web service? Please show us more details.

Thanks.


David Qian
Microsoft Online Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
0
Wencui
11/25/2008 9:22:32 AM

 Thanks for your response guys..

So i logged a support request with the company from which i receive the post. They said that the username and passwords are not included in the callbacks.

The username and password is for the webserver (which receives the posts) if it requires authentication (i.e. login).

 

If i'm understanding it correctly, i need to do the validation check on the IIS server hosting the website. Am i right ? and if i am, then can we just restrict access to one webmethod or a webservice rather than the whole website ?

0
ripneet
11/25/2008 10:16:12 PM

Thanks for your followup ripneet.

I couldn't understand the problem clearly. Here I'll show you how to get the header step by step:

Step 1. In IIS, you have to deny the Anonymous Authentication and allow Windows Authentication.

Step 2. Then, use Windows Authentication in Web Service.

Step 3. In the client application, add the credentials when calling the Web Service. For instance:

WS.Service1 sc = new WS.Service1();
sc.Credentials = System.Net.CredentialCache.DefaultCredentials;
int res = sc.Add(3, 4);

Step 4. Get the header in Web Service like this:

public class Service1 : System.Web.Services.WebService
{
     [WebMethod]
     public int Add(int a, int b)
     {
         string cred = Context.Request.Headers["Authorization"];

         // Analyze the credential string

         return a + b;
     }
}
Thanks.  
David Qian
Microsoft Online Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
0
Wencui
11/26/2008 3:31:54 AM
Reply:

Similar Artilces:

Getting user info from URL (http://username:password@webservice)
Hi, Is it possible to have IIS authenticate a user in the following way with Basic Authentication: Calling the web service using URL authentication ( I know it's not secure and all that ;) http://username:password@webservice and then extracting the username and password within the web service? And how do I extract the username and the password in the web service? Thanks in advance, Lars Is using http://username:password@webservice the same as logging in through the login dialog? /lbt > Is using http://username:password@webservice the same as logging in thr...

superreview requested: [Bug 232567] Remove from HTTP(S) support for username and password authentication in URL : [Attachment 140988] patch
Malcolm Rowe <malcolm-bmo@farside.org.uk> has asked Darin Fisher <darin@meer.net> for superreview: Bug 232567: Remove from HTTP(S) support for username and password authentication in URL http://bugzilla.mozilla.org/show_bug.cgi?id=232567 Attachment 140988: patch http://bugzilla.mozilla.org/attachment.cgi?id=140988&action=edit ------- Additional Comments from Malcolm Rowe <malcolm-bmo@farside.org.uk> Requesting r/sr. I'm expecting this might be a controversial change. ...

superreview cancelled: [Bug 232567] Remove from HTTP(S) support for username and password authentication in URL : [Attachment 140988] patch
Malcolm Rowe <malcolm-bmo@farside.org.uk> has cancelled Malcolm Rowe <malcolm-bmo@farside.org.uk>'s request for superreview: Bug 232567: Remove from HTTP(S) support for username and password authentication in URL http://bugzilla.mozilla.org/show_bug.cgi?id=232567 Attachment 140988: patch http://bugzilla.mozilla.org/attachment.cgi?id=140988&action=edit ------- Additional Comments from Malcolm Rowe <malcolm-bmo@farside.org.uk> darin points out that this'll break HTTP publish from composer. ...

superreview requested: [Bug 232567] Remove from HTTP(S) support for username and password authentication in URL : [Attachment 141005] Patch v4
Malcolm Rowe <malcolm-bmo@farside.org.uk> has asked Darin Fisher <darin@meer.net> for superreview: Bug 232567: Remove from HTTP(S) support for username and password authentication in URL http://bugzilla.mozilla.org/show_bug.cgi?id=232567 Attachment 141005: Patch v4 http://bugzilla.mozilla.org/attachment.cgi?id=141005&action=edit ------- Additional Comments from Malcolm Rowe <malcolm-bmo@farside.org.uk> Requesting r/sr again. ...

Authenticating a username and password
I need the code for the following: When a person clicks "login", the server verifies their username and password. If it is correct, they are redirected to the "account.aspx" page. If not, the login page refreshes. Help please.  Thanks!! Jeffrey Way | My Blog I update my blog on a daily basis with views on web development. I always appreciate new readers. The ASP.Net Quickstarts on security will get you started:  http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/default.aspx That helped a bit. It just can get very confusing. Can anyone post the actual code I woul...

Secure username and password
Hi guys, After some direction, I am creating a site in asp.net 3.5 and I need to store a single username and password in the web config or in a database record that is used for a third party api but that username ans password need to be stored securly and encrypted but will need to be decrypted to pass to the third party api. and I developing the system cant know the password. any ideas of how you can obtain this? any ideas welcomethanks Lee you can encrypt sections of the web.config http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx however if the person using...

Net::Telnet with username, no password
Hello everyone, I'm trying to use Net::Telnet to connect to a server that has a test account called (appropriately) TEST. It has no password on doing a normal telnet to the server after supplying the username, I am taken to the shell rather than being prompted for my password. The prompt I'm given is: TEST F50:/genii4 $ Heres's the script I wrote: #!/usr/bin/perl -w # use strict; use Net::Telnet(); my $host = "172.16.1.2"; my $user = "TEST"; my $pass = ""; my $t = new Net::Telnet(Timeout => 30, Dump_Log => "/tmp...

RE: Net::Telnet with username, no password
------------------------------------------------ On 29 Jul 2003 11:06:09 -0400, K Old <kold@kold.homelinux.com> wrote: > Hello everyone, > > I'm trying to use Net::Telnet to connect to a server that has a test > account called (appropriately) TEST. It has no password on doing a > normal telnet to the server after supplying the username, I am taken to > the shell rather than being prompted for my password. > > The prompt I'm given is: > > TEST F50:/genii4 $ > > Heres's the script I wrote: > > #!/usr/bin/perl -w ...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

superreview granted: [Bug 143575] URL: http ignores username and password (http://user:passwd/domain) for auth cache : [Attachment 126403] v2 patch
Alec Flett <alecf@flett.org> has granted Darin Fisher <darin@netscape.com>'s request for superreview: Bug 143575: URL: http ignores username and password (http://user:passwd/domain) for auth cache http://bugzilla.mozilla.org/show_bug.cgi?id=143575 Attachment 126403: v2 patch http://bugzilla.mozilla.org/attachment.cgi?id=126403&action=edit ------- Additional Comments from Alec Flett <alecf@flett.org> sr=alecf ...

Retrieving Password from Basic Authentication
Hello, I'm building an ASP.NET application to provide access to an MySQL database. This is a very security conscious application. One concern I have is storing the connection string for the MySQL database "in the clear" either in the registry or within the application code itself. I have found an interesting article on storing an encrypted version of the connection string within the registry. That is one option... however I am interested in weighing all my options. Another option is using basic Windows authentication w/ SSL to logon to the webserver, retrieve the username...

Windows authentication retrieving password
Hi, In my current web application I am using Windows authentication. The user is authenticated by looking into the existing local users. Now I need the password of the logged in user in order to do a search on the domain's active directory. Since the user already typed the password when logging in, can I retrieve it somehow, or is that impossible due to security related issues? It is not possible to retrieve the user's password once it is typed into the Windows Dialog box. Even if the user name and password are the same from the local (non-domain) machine and the domain, you would n...

Windows authentication with userName and password
I am using IIS 6.0 with integrated windows authentication and in web.config I have <identity impersonate="true" userName="domain\userName" password="pwd"/> tag. If I log in directly on the server (localhost/App), I am being prompted for UserName and Password and httpContext gives me User Name as the one which i use to log in. If I log in to the application from a different machine on LAN, the credentials provided by httpContext are the one given in web.config while I was expecting the credentials to be the same as the my windows authentication. What could be the reason? Ca...

Retrieving username and password from the registry
My company is going through some security changes and doesn't want any of the impersonation information in a web.config. They've also decided to require ALL our passwords to be reset every 3 months. We don't have to change the code everytime the password changes so we are currently looking at storing the username and password in a registry key on the server but I am having trouble figuring out what to do the information once I get it from the registry. Does anyone know of a good sample I could look at? What I have so far. RegistryKey RegString = Registry.LocalMachine.OpenSubKey("...

Web resources about - Retrieving username/password from HTTP Authentication in webservice - asp.net.security

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

Authentication - Facebook-Entwickler
Please note: On October 3, 2012, the offline_access permission will be removed. If you are building...

Facebook Adds Two Factor Authentication for Login and Redesigns Family Safety Center
... announced the release of several new tools to help users stay safe while using the site. Soon, users will be able to enable two factor authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


YouTube - How To Hack Twitter's New Two Factor Authentication
Veröffentlicht am 23.05.2013 Connect! http://toopher.com http://facebook.com/toopherinc http://twitter.com/toopher CEO Josh Alexander wants ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

Hands on: Twitter two-factor authentication
Optus and Vodafone customers need not apply when it comes to Twitter's two-factor authentication.

Resources last updated: 1/1/2016 9:41:46 AM