Dead simple ASP.NET MVC 5 password protection?

Question

I have an ASP.NET MVC 5 web application running on Azure as a webrole.

Is there any way to easily password protect the entire website? I do not want any signup or account handling, just a single password to enter the site (and perhaps a username, but that's not required). Something similar to a .htaccess file.

Every example on authentication for ASP.NET MVC I'm looking at comes with an enormous amount of code to implement, and Azure does not seem to be able to support Basic Authentication (at least not easily).

I would just generate the template and rip out the registering and accounts stuff then seed a single user into the table. — jamesSampica, Apr 30 '15 at 16:02

score 13 · Accepted Answer · edited Dec 13 '15 at 19:11

You are right, there is no support for Basic Authentication in ASP.NET MVC out of the box. However, you can easily add it by using action filters, as described here. First you need to create an action filter:

public class BasicAuthenticationAttribute : ActionFilterAttribute
    {
        public string BasicRealm { get; set; }
        protected string Username { get; set; }
        protected string Password { get; set; }

        public BasicAuthenticationAttribute(string username, string password)
        {
            this.Username = username;
            this.Password = password;
        }

        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var req = filterContext.HttpContext.Request;
            var auth = req.Headers["Authorization"];
            if (!String.IsNullOrEmpty(auth))
            {
                var cred = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(auth.Substring(6))).Split(':');
                var user = new { Name = cred[0], Pass = cred[1] };
                if (user.Name == Username && user.Pass == Password) return;
            }
            var res = filterContext.HttpContext.Response;
            res.StatusCode = 401;
            res.AddHeader("WWW-Authenticate", String.Format("Basic realm=\"{0}\"", BasicRealm ?? "Ryadel"));
            res.End();
        }
    }

Then you can protect actions, controllers by using attributes:

[BasicAuthenticationAttribute("your-username", "your-password", BasicRealm = "your-realm")]
public class HomeController : BaseController
{
   ...
}

To protect the entire website, add this filter to global filters:

protected void Application_Start()
{
    ...
    GlobalFilters.Filters.Add(new BasicAuthenticationAttribute("your-username", "your-password"));
    ...
}

this is a very good answer and works very good. Clean, simple and quick to implement! — juFo, Feb 22 '17 at 15:17
when i use this as a global filter, OnActionExecuting get called over and over again....any advice? — Captain_Planet, Apr 03 '17 at 17:13
This solution may suffer from the flaw described here: https://stackoverflow.com/a/35330494/1063583 — James, Feb 19 '19 at 10:42

Dead simple ASP.NET MVC 5 password protection?

1 Answers1

Linked