HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter

Errore 403 - forbidden dopo aver pubblicato una applicazione ASP.NET MVC su IIS 7: come risolvere

A common-case scenario during the development of an ASP.NET MVC web application is the need to restrict the access to some web resources to authenticated users only. If our application features an authentication system based on ASP.NET Membership framework (like the ASP.NET Membership Provider or the updated ASP.NET Identity) you can easily fullfill the task by using the AuthorizeAttribute provided in the System.Web.Mvc namespace to only allow specific Users and/or Roles for a whole Controller and/or for a specific ActionResult:

This simple yet effective approach requires the user to authenticate himself using a login mechanism (usually a login form page or view) and that's why it's not really useful when you need to put togheter a RESTful interface and/or a WebService  of any kind. The best way to deal with these things is to adopt one of the many authentication mechanisms supported by the HTTP protocol: Basic, Digest, NTLM just to mention some. The most used, yet also the easiest one to blend into a MVC pattern, it's definitely the Basic Authentication.

To implement it in your application just add the following ActionFilter custom attribute to your project:

As you can see the filter checks for the presence of the Authorization request field and acts accordingly:

  • If it's there, it checks the given username and password with those expected by the server application.
  • If it's not there, it builds a standard 401 Http Response to tell the client that we need some credentials to access that specific resource. This kind of response will make most web browsers prompt the user with an "insert username and password" standard popup form.

The above implementation requires the developer to manually insert the username and password as ActionFilter required parameters but can be easily extended to make it support any authorization mechanism (MembershipProvider, ASP.NET Identity, custom userbase on an external DBMS or file, etc.) by removing the custom constructor and modifying the OnActionExecuting method IF block accordingly.

The BasicAuthenticationActionFilter attribute is just as versatile as the previously mentioned Authorize attribute, meaning that it can be used to put under Basic Authentication a whole controller or a specific ActionResult:

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

11 Comments on “HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter”

  1. Pingback: Ready-Made ASP.NET 5 MVC 6 Web API Template – Grab It Now!
  2. Thank you very much for your hint, the procedure described was really-really usefull!

    There’s one thing i’d like to mention, hopefully others can fing it usefull:
    if
    you use the BasicAuthenticationAttribute class in an ASP.NET MVC
    controller to lets say upload a file using AJAX then your controller can
    get vulnerable to malicious activity.
    The reason is that there can
    be created a C# DesktopApplication using Webclient.UploadFile from which
    application the controller’s methods can be invoked without knowing the
    credentials.
    This is because in fact the controller refuses
    authentication and responses the appropriate (401) Unauthenticated
    response BUT the invoked [HttpPost] method of the MVC controller will
    get called and run in the background.

    In my case the MVC
    controller nicely refused to authenticate without the right credentials
    given and kept on popping up the basic authentication window, but when i
    was creating the desktop application to implement file uploads using
    the MVC controller i surprisedly saw that files are getting uploaded to
    the server even with wrong credentials given not matching the user/pass i
    set in my BasicAuthenticationAttribute class.

    My solution was to
    extend the BasicAuthenticationAttribute class’ OnActionExecuting method
    to throw an Excepction in case of wrong credentials were given.
    That
    was great i was happy… as far as i was not getting to authenticate to
    the MVC controller through web browser. Because in that case when
    trying to access the MVC controller through web browser the
    BasicAuthenticationAttribute class’ OnActionExecuting method raised the
    Exception by default without even popping up the basic realm
    authentication window.

    To handle this i extended the
    BasicAuthenticationAttribute class by one more property called Hard (for
    Hard authentication) and setting this property to true if i want to
    avoid the authentication window popping up and expecting that
    credentials are being sent directly from let’s say a desktop
    application, and setting Hard to false if i want the athentication
    window to pop up for credentials when controller’s method are accessed
    from web browser.

  3. For what it’s worth, there is a majority security flaw with this code. smtpccnt described the symptoms, but didn’t quite explain why it was happening.

    The problem is that calling res.End() doesn’t actually stop the controller action from being invoked on the server side. You need to set filterContext.Result to an ActionResult type, or execution will continue past the action filter. For some use cases, this problem is invisible. If you are just trying to prevent a user from seeing a page, then your solution technically works. However, I was trying to protect a web service endpoint that received data. In my case, the data was still pushed through the action method even though the filter was returning a 401 not authorized response. The solution, as given, offered no protection.

    The good news is that the fix is simple. Replace the lines that say

    res.StatusCode = 401;
    res.End();

    with

    filterContext.Result = new HttpUnauthorizedResult();

    This seems to do the trick :)

  4. Very nice thanks it works wonderfully!
    Is there a way to allow the user to “logout” and close the current session?

  5. Pingback: HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter – vgak
  6. Oh my word. I want to make love to you.

    I need to add just Basic Auth to a particular folder in a MVC website (well, I guess it’s a View or area, not folder?) but doing it the standard way in IIS by disabling anonymous access and enabling Basic Auth does not work if I try it on the actual file system folder that corresponds to the URL path. However we do have simple Basic Auth on our internal dev websites and that works fine. But it doesn’t seem to on individual files/folders.

    Anyway, I was thinking I was out of luck when I found this solution and the browser would just keep spinning after the “res.End()” call. This must be due to the fact that we use our own custom MVC CMS to build our websites.

    However, adding your fix absolutely did the trick. It did require some slight tweaking, due to our own CMS being used (had to add in a check on filterContext.HttpContext.Request.Path for the particular location I’m looking for, and only run this authorization logic if it matches a certain string). Also had to put this ActionFilter on the method that basically serves up our CMS page Views.

    For those wondering, this isn’t a high-security section of a website, that’s why we were ok with Basic Auth in the first place.

    Amazing. You rock!

    1. Hi, glad that you like our post! :) Feel free to like us on Facebook & Twitter if you think we’ve fixed your issue!
      Best regards,

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.