2

I am writing a C# application to get some information from URL.

The Url's are of Web applications hosted in IIS in our local intranet environment.

The web applications are developed using ASP.NET (C#).

In IIS these are configured as either Forms or Windows authentication.

Is there a way to identify what type of authentication is the corresponding web application urls ?

This is what i got so far !

    using System;
    using System.IO;
    using System.Net;
    public class Program
    {
        public static void Main()
        {
                var url = "http://www.contoso.com/default.html";
                WebRequest request = WebRequest.Create(url);
                HttpWebResponse response = (HttpWebResponse)request.GetResponse ();

                //he i need to know what type of authentication the url 

                Console.WriteLine (response.StatusDescription);

                Stream dataStream = response.GetResponseStream();

                StreamReader reader = new StreamReader (dataStream);

                string responseFromServer = reader.ReadToEnd();

                reader.Close ();
                dataStream.Close ();
                response.Close ();
        }
    }

Demo

Kishore Sahasranaman
  • 4,013
  • 3
  • 24
  • 50

3 Answers3

2

Guessing by url is not accurate. But you can use the header information to make an educated guess. Windows and basic authentication give you enough information. Hence check for those first.

Below is the header information to determine the authentication type. Check for basic and windows first. You can default to forms if not basic or windows and there is a redirect. And if no redirect, there is no authentication.

Windows Authentication

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

Basic Authentication

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="test.local"

Forms Authentication

HTTP/1.1 302 Found
Location: /Account/Login?ReturnUrl=%2f
Osa E
  • 1,711
  • 1
  • 15
  • 26
1

No, not based on the URL, unless you specifically add something to the URL to indicate it. But you would know if you did that.

Since you own the sites, you should know ahead of time what type of authentication they use, without needing to look at the URL, right? Or you could programatically connect to the server and check the IIS settings. You can also detect authentication type by inspecting the HTTP headers in the response from the server, but that's outside the scope of your question.

mason
  • 31,774
  • 10
  • 77
  • 121
  • Thanks @mason , I think the `HTTP response headers` will give me the expected result. I have updated my question. Could you please provide me some reference ? – Kishore Sahasranaman Oct 19 '15 at 12:54
  • Hello Mason, someone asked me this question in the interview for Spring Boot as the requirement in the job description. First I said HTTP or HTTPS, he wasn't satisfied. So, I said using URL, we cannot figure out but we may use console in the browser's developer tools when loading the page. – raja777m Mar 18 '19 at 13:27
  • @raja777m HTTP or HTTPS has absolutely nothing to do with the authentication type. The console itself isn't likely to tell you the authentication type. But you may be able to figure it out by inspecting the header or cookies. I haven't used Spring Boot, but each framework is likely to store the authentication info in a certain way, which may be visible by looking at the network traffic in the browser's dev tools. – mason Mar 18 '19 at 14:35
  • Thanks Mason, I wasn't knowledgeable much on Spring security as much. Appreciate your answer. – raja777m Mar 18 '19 at 15:15
0

If your web application is written correctly then when a protected resource is requested it should respond with a 401 status and a WWW-Authentication header containing the authentication challenge. Decoding the authentication challenge will show the authentication types supported (Basic, Digest, NTLM etc). Read more at Understanding HTTP Authentication.

The WebRequest supports this challenges and authenticates itself using the Credential configured for that challenge.

IF your application uses forms and cookies for authentication then WebRequest will not be able to authenticate itself. You will have to add support, using for instance WebClient instead.

See How do I log into a site with WebClient?

Community
  • 1
  • 1
Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569