Sunday, August 3, 2014

Basic and Digest mixed authentication with WebAPI

In my last post I talked about using both Basic and Digest authentication with WebAPI, but not at the same time. So what do you do when you want to used mixed authentication with both?

In principal you can support both Basic and Digest authentication at the same time, but your server has to issue the 401 challenge with Digest. This is because basic requires no token or server information to authenticate, where as digest requires a nonce from the server.

I have updated Rick's Basic authentication and Badri's Digest authentication implementation to work together as a pair of AuthorizationFilterAttributes. Here is the source:

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.Filters.Add(new BasicAuthorizationFilterAttribute(false));
        config.Filters.Add(new DigestAuthorizationFilterAttribute());
 
        config.MapHttpAttributeRoutes();
 
        config.Routes.MapHttpRoute(
            "DefaultApi",
            "{controller}/{id}",
            new { controller = "data", id = RouteParameter.Optional }
        );
    }
}

Enjoy,
Tom

No comments:

Post a Comment

Real Time Web Analytics