2 // Basic Authentication implementation
5 // Greg Reinacker (gregr@rassoc.com)
6 // Sebastien Pouliot (spouliot@motus.com)
8 // Copyright 2002-2003 Greg Reinacker, Reinacker & Associates, Inc. All rights reserved.
9 // Portions (C) 2003 Motus Technologies Inc. (http://www.motus.com)
11 // Based on "DigestAuthenticationModule.cs". Original source code available at
12 // http://www.rassoc.com/gregr/weblog/stories/2002/07/09/webServicesSecurityHttpDigestAuthenticationWithoutActiveDirectory.html
16 // Permission is hereby granted, free of charge, to any person obtaining
17 // a copy of this software and associated documentation files (the
18 // "Software"), to deal in the Software without restriction, including
19 // without limitation the rights to use, copy, modify, merge, publish,
20 // distribute, sublicense, and/or sell copies of the Software, and to
21 // permit persons to whom the Software is furnished to do so, subject to
22 // the following conditions:
24 // The above copyright notice and this permission notice shall be
25 // included in all copies or substantial portions of the Software.
27 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
28 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
29 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
30 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
31 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
32 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
33 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
37 using System
.Configuration
;
39 using System
.Security
.Principal
;
44 namespace Mono
.Http
.Modules
46 public class BasicAuthenticationModule
: AuthenticationModule
48 static char[] separator
= {':'}
;
50 public BasicAuthenticationModule () : base ("Basic") {}
52 protected override bool AcceptCredentials (HttpApplication app
, string authentication
)
54 byte[] userpass
= Convert
.FromBase64String (authentication
);
55 string[] up
= Encoding
.UTF8
.GetString (userpass
).Split (separator
);
56 string username
= up
[0];
57 string password
= up
[1];
59 string userFileName
= app
.Request
.MapPath (ConfigurationSettings
.AppSettings
["Basic.Users"]);
60 if (userFileName
== null || !File
.Exists (userFileName
))
63 XmlDocument userDoc
= new XmlDocument ();
64 userDoc
.Load (userFileName
);
66 string xPath
= String
.Format ("/users/user[@name='{0}']", username
);
67 XmlNode user
= userDoc
.SelectSingleNode (xPath
);
72 XmlAttribute att
= user
.Attributes
["password"];
73 if (att
== null || password
!= att
.Value
)
76 XmlNodeList roleNodes
= user
.SelectNodes ("role");
77 string[] roles
= new string [roleNodes
.Count
];
79 foreach (XmlNode xn
in roleNodes
) {
80 XmlAttribute rolename
= xn
.Attributes
["name"];
84 roles
[i
++] = rolename
.Value
;
86 app
.Context
.User
= new GenericPrincipal (new GenericIdentity (username
, AuthenticationMethod
), roles
);
90 #region Event Handlers
92 // We add the WWW-Authenticate header here, so if an authorization
93 // fails elsewhere than in this module, we can still request authentication
95 public override void OnEndRequest (object source
, EventArgs eventArgs
)
97 HttpApplication app
= (HttpApplication
) source
;
98 if (app
.Response
.StatusCode
!= 401 || !AuthenticationRequired
)
101 string realm
= ConfigurationSettings
.AppSettings
["Basic.Realm"];
102 string challenge
= String
.Format ("{0} realm=\"{1}\"", AuthenticationMethod
, realm
);
103 app
.Response
.AppendHeader ("WWW-Authenticate", challenge
);