Security and Http

Published on June 4, 2008

I did some experimentation today with authentication over http.

Using the System.Net.WebClient class I made requests against both a HttpListener based server and WCF service contract using webHttpBinding.

With HttpListener I can get Basic authentication and WindowsIntegratedAuthentication working just fine.  With WebHttpBinding I cannot get either.  I am aware that with WebHttpBinding over https you can do Basic Auth.  I haven't tried WindowsIntegratedAuthentication over https.  I do understand the logic behind disallowing clear text passwords to be sent without any encryption but it is not that unusual a scenario (Twitter, POP, FTP).  I'm not sure that it is Microsoft's job to be the police in this situation.

What is even more cool is that I can connect to an HttpListener server over a VPN connection and I get the domain account of the remote user.

I was not able to implement both Basic and WindowsIntegrated at the same time.  However, I did find AuthenticationSchemeSelectorDelegate which sounds very promising.

porn

Women Shop