HTTP Basic Authentication with ASP.NET MVC using a custom ActionFilter

Errore 403 - forbidden dopo aver pubblicato una applicazione ASP.NET MVC su IIS 7: come risolvere

A common-case scenario during the development of an ASP.NET MVC web application is the need to restrict the access to some web resources to authenticated users only. If our application features an authentication system based on ASP.NET Membership framework (like the ASP.NET Membership Provider or the updated ASP.NET Identity) you can easily fullfill the task by using the AuthorizeAttribute provided in the System.Web.Mvc namespace to only allow specific Users and/or Roles for a whole Controller and/or for a specific ActionResult:

This simple yet effective approach requires the user to authenticate himself using a login mechanism (usually a login form page or view) and that’s why it’s not really useful when you need to put togheter a RESTful interface and/or a WebService  of any kind. The best way to deal with these things is to adopt one of the many authentication mechanisms supported by the HTTP protocol: Basic, Digest, NTLM just to mention some. The most used, yet also the easiest one to blend into a MVC pattern, it’s definitely the Basic Authentication.

To implement it in your application just add the following ActionFilter custom attribute to your project:

As you can see the filter checks for the presence of the Authorization request field and acts accordingly:

  • If it’s there, it checks the given username and password with those expected by the server application.
  • If it’s not there, it builds a standard 401 Http Response to tell the client that we need some credentials to access that specific resource. This kind of response will make most web browsers prompt the user with an “insert username and password” standard popup form.

The above implementation requires the developer to manually insert the username and password as ActionFilter required parameters but can be easily extended to make it support any authorization mechanism (MembershipProvider, ASP.NET Identity, custom userbase on an external DBMS or file, etc.) by removing the custom constructor and modifying the OnActionExecuting method IF block accordingly.

The BasicAuthenticationActionFilter attribute is just as versatile as the previously mentioned Authorize attribute, meaning that it can be used to put under Basic Authentication a whole controller or a specific ActionResult:



About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies.

View all posts by Ryan