IIS / ASP.NET-based WebDAV Server Authentication

Integrated Windows Authentication (IWA)

In the case of Integrated Windows authentication, your application delegates the authentication responsibility to the underlying IIS and ASP.NET.

  1. Set authentication mode to Windows in your application web.config file:
    <authentication mode="Windows"/>
  2. Remove FileAuthorization module from the list of modules in your web.config file. Leave WindowsAuthenticationModuleonly:
    <httpModules>
          <remove name="FileAuthorization"/>
    </httpModules>
    or:
    <httpModules>
          <clear/>
        <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule"/>
    </httpModules>
  3. This will prevent files permissions check. All your files are stored in your custom repository so you do not need to verify any file system permissions at ASP.NET/IIS level.
  4. In IIS check Integrated Windows authentication or Basic authentication. Uncheck Enable anonymous access flag.

    WebDAV Integrated Windows Authentication (IWA)

Note that Microsoft WebFolder WebDAV client will not work with digest authentication in case of IWA. If you would like to use Web Folders client together with digest authentication you must provide a custom implementation of digest protocol.

In your code, you will be able to access logged in user using HttpContext.Current.User.Identity property:

public override WebDAVResponse Delete()
{
    ...

      if(HttpContext.Current.User.Identity.Name.ToLower() != "domain\\user1")
            return new AccessDeniedResponse(); // sets 401 status code
    ...

    return new NoContentResponse();
}

If you return AccessDeniedResponse class from your method implementation the engine sets 401 status code and standard WindowsAuthentication module provided by ASP.NET will attach WWW-Authenticate header. When the client application receives WWW-Authenticate header it shows login dialog.

Configuring Impersonation

Impersonation is required if you would like your WebDAV server to run on behalf of the Windows user accessing the server. To setup impersonation configure IWA as described above and add identity tag to your web.config file:

<configuration>
      <system.web>
            <identity impersonate="true"/>
            ...
      </system.web>
...
</configuration>

Basic Authentication Against Custom Users Storage

To authenticate against your credential store using basic authentication you must first extract base64-encoded username and password sent by the client. The credentials are stored in Authorization request header. Usually, you will create custom HttpModule for this purpose. BasicAuthenticationModule class provided with SqlStorage WebDAV server sample demonstrates this approach. You will have to replace BasicAuthenticationModule.Authenticate method implementation with a check against your custom users store.

To setup basic authentication:

  1. Implement BasicAuthenticationModule.Authenticate method.
  2. Set anonymous access in IIS. Check Enable anonymous access flag in Authentication Methods dialog. Clear all Authenticated access flags.

    WebDAV Basic Authentication

  3. Set authentication mode to None in your application web.config file:
    <authentication mode="None"/>
  4. Add BasicAuthenticationModule to the list of modules in web.config file, remove FileAuthorization module:
    <httpModules>
          <remove name="FileAuthorization"/>
          <add name="BasicAuthenticationModule" type="WebDAVServer.SqlStorage.BasicAuthenticationModule, WebDAVServer.SqlStorage"/>
    </httpModules>

To verify if use was authenticated, you can use HttpContext.Current.Request.IsAuthenticated property:

public class WebDAVHandler : IHttpHandler
{
    public void ProcessRequest(HttpContext context)
    {
            if(!context.Request.IsAuthenticated)
                  return;

            WDEngine engine = new WDEngine();
            WDRequest request = new WDRequest();
            WDResponse response = new WDResponse();
            engine.Run(request, response);
    }
    ...
}

To access logged in user, you can use HttpContext.Current.User.Identity call. If you return AccessDeniedResponse class from your method implementation the engine sets 401 response status code making BasicAuthenticationModule class send ‘WWW-Authenticate: Basic’ header. When the client application receives WWW-Authenticate header it shows login dialog.

public WebDAVResponse CreateFolder(string name)
{
      if(HttpContext.Current.User.Identity.Name!="User1")
            return new AccessDeniedResponse();
      ...
} 

 

See Also

Using Basic Authentication with Windows Vista Client

Using Digest Authentication