Re: Recommended practice to request security info for a Web client

Why not use the windows authentication method in .NET?  This would give you
an .NET page that would allow for authentication and you could have them
provide as little as username and password information.

Now something you may not be considering is the fact that there could be
multiple domains that you are authenticating against.  So the user may have
to put Domain\username and password in.

I would suggest going the route of using the .NET authentication model and
windows authentication.  This would allow you to maintain consistency by
always forcing a logon.

By consistency, I mean regardless of browser type, they will have the same
logon process.  The Integrated, Basic, and Digest stuff you are talking
about is from IIS and Integrated then would only be referring to IE
browsers.  You could set up a download webpage that would list all files
that are available for download and you could force them to authenticate
against windows in order for it to happen.

You can set up your logon page and any other files that you don't care if
they are authenticated to see.

Is this an option for you?

Thanks,

Keith

-----Original Message-----
From: Discussion of building .NET applications targeted for the Web
[mailto:DOTNET-WEB@xxxxxxxxxxxxxxxxxxx] On Behalf Of Pradeep Tapadiya
Sent: Tuesday, January 18, 2005 5:50 PM
To: DOTNET-WEB@xxxxxxxxxxxxxxxxxxx
Subject: [DOTNET-WEB] Recommended practice to request security info for a
Web client

.NETters,

In our application, we need to download some data files over the Web. The
website to access and the security information must be specified by the end
user.

I would like to make the security dialog box as intuitive as possible. I
would appreciate it if you could answer one or more of the following
questions.

Authentication:
--------------

1. Must we always set HttpWebRequest.PreAuthenticate to true or should we
ask the user? Or, can we just leave it to its default value (false)?

2. There are many authentication types that are available - Integrated
Authentication, Basic, Digest, etc. Can we get away by not asking the user
about the authentication type? I am thinking we just have two edit boxes for
username and password. If the username is left blank, we use Integrated
Authentication. If not, we just build the credential cache with all possible
values:

Cache.Add(uri, "Basic", new NetworkCredential(username, password))
Cache.Add(uri, "Digest", new NetworkCredential(username, password))

Do you see anything wrong with this logic?

3. Are there other authentication types besides Basic and Digest that can be
used with NetworkCredential?

SSL:
---

1. My understanding is that the WebRequest class internally can handle
http://blah or https://blah automatically. Is there a case where I need to
request the user for additional information?

General:
-------

1. Is there any standard UI that already deals with Web client security that
I can leverage?

Thank you in advance for your help.

Pradeep

===================================
This list is hosted by DevelopMentor.  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

===================================
This list is hosted by DevelopMentor®  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com