HttpWebRequests sends parameterless URI in Authorization header

by

It turns out that Digest authentication is fairly easy to implement. With our own implementation, we were able to use the full URI (including parameters) to generate the MD5 hash. That fixed the problem.

In case someone hits this problem in the future, you can call the workaround like:

var resultText = DigestAuthFixer.GrabResponse("/dir/index.html");

The code for the DigestAuthFixer class:

public static class DigestAuthFixer
{
    private static string _host = "http://localhost";
    private static string _user = "Mufasa";
    private static string _password = "Circle Of Life";
    private static string _realm;
    private static string _nonce;
    private static string _qop;
    private static string _cnonce;
    private static DateTime _cnonceDate;
    private static int _nc;

    private static string CalculateMd5Hash(
        string input)
    {
        var inputBytes = Encoding.ASCII.GetBytes(input);
        var hash = MD5.Create().ComputeHash(inputBytes);
        var sb = new StringBuilder();
        foreach (var b in hash)
            sb.Append(b.ToString("x2"));
        return sb.ToString();
    }

    private static string GrabHeaderVar(
        string varName,
        string header)
    {
        var regHeader = new Regex(string.Format(@"{0}=""([^""]*)""", varName));
        var matchHeader = regHeader.Match(header);
        if (matchHeader.Success)
            return matchHeader.Groups[1].Value;
        throw new ApplicationException(string.Format("Header {0} not found", varName));
    }

    // http://en.wikipedia.org/wiki/Digest_access_authentication
    private static string GetDigestHeader(
        string dir)
    {
        _nc = _nc + 1;

        var ha1 = CalculateMd5Hash(string.Format("{0}:{1}:{2}", _user, _realm, _password));
        var ha2 = CalculateMd5Hash(string.Format("{0}:{1}", "GET", dir));
        var digestResponse =
            CalculateMd5Hash(string.Format("{0}:{1}:{2:00000000}:{3}:{4}:{5}", ha1, _nonce, _nc, _cnonce, _qop, ha2));

        return string.Format("Digest username=\"{0}\", realm=\"{1}\", nonce=\"{2}\", uri=\"{3}\", " +
            "algorithm=MD5, response=\"{4}\", qop={5}, nc={6:00000000}, cnonce=\"{7}\"",
            _user, _realm, _nonce, dir, digestResponse, _qop, _nc, _cnonce);
    }

    public static string GrabResponse(
        string dir)
    {
        var url = _host + dir;
        var uri = new Uri(url);

        var request = (HttpWebRequest)WebRequest.Create(uri);

        // If we've got a recent Auth header, re-use it!
        if (!string.IsNullOrEmpty(_cnonce) &&
            DateTime.Now.Subtract(_cnonceDate).TotalHours < 1.0)
        {
            request.Headers.Add("Authorization", GetDigestHeader(dir));
        }

        HttpWebResponse response;
        try
        {
            response = (HttpWebResponse)request.GetResponse();
        }
        catch (WebException ex)
        {
            // Try to fix a 401 exception by adding a Authorization header
            if (ex.Response == null || ((HttpWebResponse)ex.Response).StatusCode != HttpStatusCode.Unauthorized)
                throw;

            var wwwAuthenticateHeader = ex.Response.Headers["WWW-Authenticate"];
            _realm = GrabHeaderVar("realm", wwwAuthenticateHeader);
            _nonce = GrabHeaderVar("nonce", wwwAuthenticateHeader);
            _qop = GrabHeaderVar("qop", wwwAuthenticateHeader);

            _nc = 0;
            _cnonce = new Random().Next(123400, 9999999).ToString();
            _cnonceDate = DateTime.Now;

            var request2 = (HttpWebRequest)WebRequest.Create(uri);
            request2.Headers.Add("Authorization", GetDigestHeader(dir));
            response = (HttpWebResponse)request2.GetResponse();
        }
        var reader = new StreamReader(response.GetResponseStream());
        return reader.ReadToEnd();
    }
}

More Related Contents:

  1. The request was aborted: Could not create SSL/TLS secure channel
  2. The request was aborted: Could not create SSL/TLS secure channel
  3. HttpWebRequest not passing Credentials
  4. How do I see the raw HTTP request that the HttpWebRequest class sends?
  5. Why does HttpWebRequest throw an exception instead returning HttpStatusCode.NotFound?
  6. How to display words that appear more than 'x' times in a text? [closed]
  7. how to get Value that cause exception
  8. Error Message is not clear to me
  9. Create an array or List of all dates between two dates [duplicate]
  10. Json.NET serialize object with root name
  11. Scope of static Variable in multi-user ASP.NET web application
  12. ASP.NET WebApi: how to perform a multipart post with file upload using WebApi HttpClient
  13. Custom Authentication in ASP.Net-Core
  14. “The LINQ expression node type ‘Invoke’ is not supported in LINQ to Entities” – stumped!
  15. ExecuteNonQuery doesn’t return results
  16. Programmatically get Summary comments at runtime
  17. Is there a standard way to encode a .NET string into JavaScript string for use in MS Ajax?
  18. C# – Outputting image to response output stream giving GDI+ error
  19. Timer in UpdatePanel
  20. How can I convert ticks to a date format?
  21. How do I route images using ASP.Net MVC routing?
  22. Convert a string’s character encoding from windows-1252 to utf-8
  23. Javascript serialization of DateTime in asp.net is not giving a javascript date object?
  24. Making an entire row clickable in a gridview
  25. Datetime format Issue: String was not recognized as a valid DateTime
  26. Explicit construction of entity type [MyClass] in query is not allowed
  27. Web Service without adding a reference?
  28. How to maintain the value of label after postback in Asp.net? [closed]
  29. How do I call a method in a Master Page from a content’s code-behind page?
  30. Why are Static Methods not Usable as Web Service Operations in ASMX Web Services?

Leave a Comment