Skip to main content

HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter

A common-case scenario during the development of an ASP.NET MVC web application is the need to restrict the access to some web resources to authenticated users only. If our application features an authentication system based on ASP.NET Membership framework (like the ASP.NET Membership Provider or the updated ASP.NET Identity) you can easily fullfill the task by using the AuthorizeAttribute provided in the System.Web.Mvc namespace to only allow specific Users and/or Roles for a whole Controller and/or for a specific ActionResult:

This simple yet effective approach requires the user to authenticate himself using a login mechanism (usually a login form page or view) and that’s why it’s not really useful when you need to put togheter a RESTful interface and/or a WebService  of any kind. The best way to deal with these things is to adopt one of the many authentication mechanisms supported by the HTTP protocol: Basic, Digest, NTLM just to mention some. The most used, yet also the easiest one to blend into a MVC pattern, it’s definitely the Basic Authentication.

To implement it in your application just add the following ActionFilter custom attribute to your project:

As you can see the filter checks for the presence of the Authorization request field and acts accordingly:

  • If it’s there, it checks the given username and password with those expected by the server application.
  • If it’s not there, it builds a standard 401 Http Response to tell the client that we need some credentials to access that specific resource. This kind of response will make most web browsers prompt the user with an “insert username and password” standard popup form.

The above implementation requires the developer to manually insert the username and password as ActionFilter required parameters but can be easily extended to make it support any authorization mechanism (MembershipProvider, ASP.NET Identity, custom userbase on an external DBMS or file, etc.) by removing the custom constructor and modifying the OnActionExecuting method IF block accordingly.

The BasicAuthenticationActionFilter attribute is just as versatile as the previously mentioned Authorize attribute, meaning that it can be used to put under Basic Authentication a whole controller or a specific ActionResult:

 

RELATED POSTS

Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies.

  • Pingback: Ready-Made ASP.NET 5 MVC 6 Web API Template – Grab It Now!()

  • Nicholas Mitchell

    You’re the man. Thanks

  • Nicholas Mitchell

    You’re the man. Thanks

  • smtpccnt

    Thank you very much for your hint, the procedure described was really-really usefull!

    There’s one thing i’d like to mention, hopefully others can fing it usefull:
    if
    you use the BasicAuthenticationAttribute class in an ASP.NET MVC
    controller to lets say upload a file using AJAX then your controller can
    get vulnerable to malicious activity.
    The reason is that there can
    be created a C# DesktopApplication using Webclient.UploadFile from which
    application the controller’s methods can be invoked without knowing the
    credentials.
    This is because in fact the controller refuses
    authentication and responses the appropriate (401) Unauthenticated
    response BUT the invoked [HttpPost] method of the MVC controller will
    get called and run in the background.

    In my case the MVC
    controller nicely refused to authenticate without the right credentials
    given and kept on popping up the basic authentication window, but when i
    was creating the desktop application to implement file uploads using
    the MVC controller i surprisedly saw that files are getting uploaded to
    the server even with wrong credentials given not matching the user/pass i
    set in my BasicAuthenticationAttribute class.

    My solution was to
    extend the BasicAuthenticationAttribute class’ OnActionExecuting method
    to throw an Excepction in case of wrong credentials were given.
    That
    was great i was happy… as far as i was not getting to authenticate to
    the MVC controller through web browser. Because in that case when
    trying to access the MVC controller through web browser the
    BasicAuthenticationAttribute class’ OnActionExecuting method raised the
    Exception by default without even popping up the basic realm
    authentication window.

    To handle this i extended the
    BasicAuthenticationAttribute class by one more property called Hard (for
    Hard authentication) and setting this property to true if i want to
    avoid the authentication window popping up and expecting that
    credentials are being sent directly from let’s say a desktop
    application, and setting Hard to false if i want the athentication
    window to pop up for credentials when controller’s method are accessed
    from web browser.

  • heismanpat

    For what it’s worth, there is a majority security flaw with this code. smtpccnt described the symptoms, but didn’t quite explain why it was happening.

    The problem is that calling res.End() doesn’t actually stop the controller action from being invoked on the server side. You need to set filterContext.Result to an ActionResult type, or execution will continue past the action filter. For some use cases, this problem is invisible. If you are just trying to prevent a user from seeing a page, then your solution technically works. However, I was trying to protect a web service endpoint that received data. In my case, the data was still pushed through the action method even though the filter was returning a 401 not authorized response. The solution, as given, offered no protection.

    The good news is that the fix is simple. Replace the lines that say

    res.StatusCode = 401;
    res.End();

    with

    filterContext.Result = new HttpUnauthorizedResult();

    This seems to do the trick 🙂

    • Thanks a lot for this: I updated the post accordingly and mentioned you in an appropriate comment line.

      • heismanpat

        You’re very welcome. Thank you for writing this filter..it works great now!

  • Pingback: HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter – vgak()

Close
Read previous post:
Guardians of the Galaxy – Review

The Marvel-Universe-inspired Disney movies can definitely add another big score to their roster: we're talking about Guardians of the Galaxy, the highly-acclaimed...

Close