XMLHTTP Request Header Authorization format

Johndc · Post by **Johndc** » Fri Mar 07, 2008 4:26 pm

I'm creating my own Handler using the AuthenticationHandler like the ClientApi.

I've been trying to pass the Authorization Header, but I'm not sure which format the AuthenticationHandler.GetUserName(string text) and AuthenticationHandler.GetPassword(string text) are expecting.

Does anyone know the format of the username and password to pass?

bobr2k · Post by **bobr2k** » Sat Mar 08, 2008 11:17 am

Does this help? (from CommerceBuilder Class Library Documentation)

public override string GetPassword(
string username,
string answer
)
Public Overrides Function GetPassword ( _
username As String, _
answer As String _
) As String
public:
virtual String^ GetPassword(
String^ username,
String^ answer
) override

Parameters
username (String)
[Missing <param> documentation for "username"]

answer (String)
[Missing <param> documentation for "answer"]

Return Value

Johndc · Post by **Johndc** » Sat Mar 08, 2008 2:37 pm

Not Really. This is the code from the ClientApiService.ashx:

Code: Select all

                string AuthHeader = request.Headers["Authorization"];
                string userName = GetUserName(AuthHeader);
                string password = GetPassword(AuthHeader);
                if(UserHasAccess(userName,password))

It seems the format is one string that both functions can read, I tried :
Username, password
Username password
Username:password

afm · Post by **afm** » Sat Mar 08, 2008 3:36 pm

The Authorization header is described in RFC 2617. I that is what the GetUserName and GetPassword methods are expecting.

If the page you are requesting is in a directory that requires authorization (i.e. anonymous access is denied), then the webclient (browser, etc) will add the appropriate authorization header for you.

If you are creating your own authorization header for testing, then the Basic format is the easiest to replicate. I think it is just a base 64 encoded version of username:password.