Skip to site navigation

You are here:

XHTTP Authenticator.NET Documentation

Adding XHTTP Authenticator.NET in your Web Application

XHTTP Authenticator.NET is a HTTP Module native from Microsoft .NET technology. To add it to your web application, copy the assembly Visionalyse.XHTTPAuthenticator.dll to your /bin directory and just add the following code in the <httpModules> section of your Web.config:



1 <add type="Visionalyse.Web.Security.BasicAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPBasic" />
2 <add type="Visionalyse.Web.Security.DigestAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPDigest" />

For example:



 1 <?xml version="1.0" encoding="utf-8"?>
 2 <configuration>
 3   <system.web> 
 4   
 5     <httpModules>
 6       <add type="Visionalyse.Web.Security.BasicAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPBasic" />
 7       <add type="Visionalyse.Web.Security.DigestAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPDigest" />
 8     </httpModules> 
 9     
10   </system.web> 
11 </configuration>

 

Removing XHTTP Authenticator.NET for a Virtual Web Application

By design, when you add a HTTP module in a .NET web application, recursively, the web applications within this application inherit the HTTP Module configuration and sometimes can be problematic. If you are using XHTTP Authenticator.NET for a web application and you have an other web application running within this application and do not wish to use the module, you can remove it by adding the following code in the Web.config of child application: 



 1 <?xml version="1.0" encoding="utf-8"?>
 2 <configuration>
 3   <system.web> 
 4  
 5     <httpModules>
 6       <remove name="XHTTPBasic" />
 7       <remove name="XHTTPDigest" />
 8     </httpModules> 
 9   
10   </system.web> 
11 </configuration>

Notes:

  • The value of the attribute "name" must match the value of the HTTP module attribute "name" of your parent web application.
  • For cases where XHTTP Authenticator.NET is not registered in the GAC, the assembly .dll file must be copied in the child web application or .NET framwork will throw the exception "Assembly Not Found".

Configuring IIS Application Settings

To allow XHTTP Authenticator.NET to work correctly, you must setup the IIS Application Authentication Methods as follow:

1. Open IIS and right-click on your website or virtual directory and select 'properties'. Click on the 'Directory Security' tab.

2. Click 'Edit' button in the Anonymous access and Authentication control and the Authentication Methods window will open.

 

3. Make sure that Anonymous access is checked and All Authentication options are unchecked as per the following screenshot:

4. Press 'OK' to confirm and close all the windows.

You have completed the IIS Application configuration settings.

Configuration Settings & User Credentials

The configuration settings for XHTTP Authenticator.NET as well as the user credentials for built-in login logic are stored in the web.config of your web application using a custom configuration section named <XHTTPAuthenticator> and for this reason you must declare the section at the beginning of the web.config file as follow:

Declaration of Custom Section Name used in the web.config 



 1 <?xml version="1.0" encoding="utf-8"?>
 2 <configuration>
 3 
 4   <configSections>
 5     <section name="XHTTPAuthenticator" type="Visionalyse.Web.Configuration.AuthenticationConfigHandler, Visionalyse.XHTTPAuthenticator" />
 6   </configSections>
 7 
 8   <system.web> 
 9   
10   </system.web>
11  
12 </configuration>

Structure of the XHTTP Authenticator.NET in the web.config 



 1 <?xml version="1.0" encoding="utf-8"?>
 2 <configuration> 
 3 
 4  <configSections>
 5     <section name="XHTTPAuthenticator" type="Visionalyse.Web.Configuration.AuthenticationConfigHandler, Visionalyse.XHTTPAuthenticator" />
 6   </configSections>
 7 
 8   <system.web> 
 9   
10     <httpModules>
11       <add type="Visionalyse.Web.Security.BasicAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPBasic" />
12       <add type="Visionalyse.Web.Security.DigestAuthenticationModule, Visionalyse.XHTTPAuthenticator" name="XHTTPDigest" />
13     </httpModules> 
14   
15   </system.web> 
16 
17   <XHTTPAuthenticator mode="" realm="" redirectDenyUrl="" cookieName="" timeout=""> 
18     <credentials passwordFormat="">
19       <!-- list of user credentials --> 
20       <user name="" password="" roles="" />
21     </credentials> 
22   </XHTTPAuthenticator>
23 
24 </configuration>

Reference

<XHTTPAuthenticator> Element Tag & Attributes 
<XHTTPAuthenticator mode="" realm="" redirectDenyUrl="" cookieName="" timeout="" />
Attributes
mode (None | Basic | Digest) Mode used to authenticate the user
Default value: None
realm string Name of the Authentication used to protect the resources
Default value: empty
redirectUrl string URL to redirect when user is denied from access
Default value: empty
cookieName (true | false) Name used to issue the temporary login cookie
Default value: true
timeout integer Number of minutes before the cookie expires since the user has last requested a page
Default value: 30
<credentials> Element Tag & Attributes 
<credentials passwordFormat="" />
Attributes
passwordFormat (Clear | Encrypted) Setting to specify if passwords are stored using encryption or not
Default value: clear
<user> Element Tag & Attributes 
<user name="" password="" roles="" />
Attributes
name string value storing the username for login
Default value: empty
password string value storing the password for login. If passwordFormat is set to Encrypted, the password must be encrypted using the encryption utility and store the encrypted value.
Default value: empty
roles string comma separated values of Roles in which the user is part of.
Default value: empty
For example: Administrators,Backup Users

Using your own login logic with inheritance

It is possible to use your own login logic with XHTTP Authenticator.NET. For example, you might have a database with a user credentials table that you wish to use to authenticate the users.

To meet this requirement, you need create your own module class and inherit from one of the HTTP authentication modules of your choice.

Please visit our online example "Implementing your own Authentication Login Logic" or download the XHTTP Authenticator.NET demo website which explains in more details.

Using Encryption Utility for storing passwords in web.config

XHTTP Authenticator.NET has a built-in utility to encrypt passwords for storing in web.config so passwords are kept private and cannot be used by anyone who has read access to the web.config file.

How to use the utility?

  • You can download the sample demo in the download area which provide you with an user interface to use this utility
  • Open your .NET project using Visual Studio.NET, add a reference to the assembly file Visionalyse.XHTTPAuthenticator.dll and make a call to the public method HashPasswordForConfigFile found in the Class Visionalyse.Web.Security.Authentication.


1 Public Shared Function HashPasswordForConfigFile(ByVal username As String, ByVal realm As String, ByVal password As String) As String

Parameters:

  • Username: The user name
  • Password: The user password
  • Realm: The Realm name used for the authentication

Return Value:

  • An encrypted string representing the combination of Username, Password and Realm and ecnrypted using MD5 Crypto Service.

Related Links