2

I've found a work around for this, but I have a client with a server that is throwing 400 errors when I make a GET request with an empty Authorization header. It works just fine when there is no Authorization header. I'd like to explain \ or fix the issue, instead of just say I fixed it.

My old code was this:

    request.Headers["Authorization"] = _Request.ServerVariables["HTTP_AUTHORIZATION"] ?? string.Empty;
    request.GetResponse();

I switched to this:

    if (_Request.ServerVariables["HTTP_AUTHORIZATION"] != null)
    {
        request.Headers["Authorization"] = _Request.ServerVariables["HTTP_AUTHORIZATION"];
    }
    request.GetResponse();
busbina
  • 549
  • 1
  • 7
  • 19

1 Answers1

1

You might want to see this question: What is the HTTP_AUTHORIZATION environment variable?

Essentially, when you pass the Authorization header, the server is supposed to use that to test whether the user has access to the underlying resource. By sending the header with a blank value you are essentially telling the server to use blank credentials... which is failing.

When you do not send the Authorization header then the server attempts to use it's default credentials for the resource, which passes.

The way this is supposed to work is:

  1. Client requests a resource.
  2. Server attempts to deliver resource. If additional authorization is required then a 401 header is sent back with a WWW-Authenticate header.
  3. Client prompts user for credentials and resubmits request with Authorization header.
  4. Server validates Authorization and, if successful, delivers the resource. If unsuccessful, it will send a 401 again.

Your code should only send the Authorization header IF the remote server responds to the initial request with a 401 and a WWW-Authenticate header. Otherwise that header should not be sent.

More info at: http://en.wikipedia.org/wiki/Basic_access_authentication

Community
  • 1
  • 1
NotMe
  • 87,343
  • 27
  • 171
  • 245
  • Makes sense. But I cannot reproduce this behavior with other web sites. I can use this same header with other IIS sites and apache sites and they do not throw this. I am wondering if there was an IIS setting to force this. – busbina Nov 14 '13 at 02:49
  • 1
    @busbina: There are any number of potential issues. Ranging from a bug in that particular version of IIS to differences in service pack / update levels between the machines that work and the ones that don't. Could even be a proxy server at that particular client causing issues. – NotMe Nov 14 '13 at 14:32
  • Sweet, they are on an older version of 2008 R2, and they are also not in our hosting environment, so we cannot guarantee that some proxy is not being used. Thanks for the help. – busbina Nov 14 '13 at 18:02