I am refactoring a working ASP.NET Web Application to expose Web Services interface using ASP.NET Web Service. According to Web Services authentication – best practices, Basic Auth over https is the way to go. Let’s assume it is, as opposed to doing WS-Security, X509, etc..
On .NET 3.5/VS 2008, what’s the simplest way of implementing custom http Basic Authentication (non-Windows account), for example, accepting only if user name is ‘foo’ and password is ‘bar’. Ultimately, I’d like Thread.CurrentPrincipal set.
Do I write my own HttpModule or can this be done simpler?
Likely using Custom Basic Authentication for IIS, written by Dominick Baier is the way to go. As he points out WCF 3.5’s usernames over transport security cannot be used on IIS-hosted service, although my question was regarding ASP.NET Web Services not WCF.
There’s another implementation of HTTP Module called Basic authentication in ASP.NET against custom datasource by Santosh Sahoo.
Although it’s not what I wanted, I found QuickStart Tutorial’s SOAP Headers sample to be informative workaround. Sending password in plain text over http is clearly insecure, but this example could be extended to add more security, for instance running on https or sending hash of ‘password + one-time GUID + timestamp’.