.NET WebClient sends request without authentication first - McMap

About

.NET WebClient sends request without authentication first

Asked 10/6, 2013 at 12:56 Answered 10/6, 2013 at 13:47

Solved c#.net security webclient digest-authentication

V

1

9

I'm building a web service with Asp.net web api, and I have to fetch an image from an AXIS IP Camera. The camera, however, uses Digest authentication. So my C# code looks something like this:

            WebClient webClient = new WebClient();
            webClient.UseDefaultCredentials = true;
            webClient.Credentials = new NetworkCredential("***", "***");
            byte[] imageStream = webClient.DownloadData("http://192.168.0.90/axis-cgi/jpg/image.cgi");

This all works, but when looking at Fiddler, I found that the client sends one request without authentication, and a 401 error returns. After that it sends the one with digest security.

I've found a solution with manual credentials injection here:

http://kristofmattei.be/2013/02/20/webclient-not-sending-credentials-heres-why/

But this looks wrong. It uses basic authentication, which I don't want really and looks a bit unprofessional.

Is there any way to send the signed request immediately or is this how that works because I'm noticing that the camera is returning the nonce in the first request?

Viscose answered 10/6, 2013 at 12:56 Comment(5)

Have you tried HTTPS & Digest Authentication – Nutwood 10/6, 2013 at 13:5

Well yeah that link is similar, I think you are telling it to use default credentials and then setting explicit credentials, try setting that to false first and then see if it works – Lisandralisbeth 10/6, 2013 at 13:7

No change, after both advices. – Viscose 10/6, 2013 at 13:11

Does this work if you run same code from non-web application, for instance console applocation? My suggestion is that since web application runs under IIS, it may have other than your user's default credentials. – Tympanic 10/6, 2013 at 13:17

Just to be clear, this works this. First it sends the request with no authentication, and then with. I tried this with the browser, just going to this URL. After that it showed me the login window, I've entered them, and I got my image back. When I debugged that, I've saw the same as with my app. The request with 401 response first, and then after me logging in the correct one. This really seams like it should work like that since the first response carries some security information,nonce and realm. Is there any book where can I read more about this security protocols for deeper understanding? – Viscose 10/6, 2013 at 13:32

S

8

You can't avoid the first anonymous request because the WebClient has to figure out which authentication scheme is used, based on the 401 response he's getting, it could be basic, digest, etc... See that question.

With digest you can't avoid 2 requests anyway because the first 401 response contains a nonce (a value that is needed for the client authentication request), see Digest access authentication, Wikipedia.

If it was basic authentication you could have avoided the first request by setting the needed header manually with your credentials.

Southard answered 10/6, 2013 at 13:47 Comment(1)

That was very helpful. Indeed, for basic auth WebClient does not send the credentials on the first request, it waits for a 401 before doing so. Therefore if your server is not compliant (e.g. returns 407 instead of 401 as in the case of some mailgun APIs), it will never send credentials. Boo! The way to fix this is to set the Authorization header manually, as you suggested - https://mcmap.net/q/498586/-asp-net-http-authorization-header Thanks! – Numbersnumbfish 15/10, 2013 at 20:6

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.