0

On a webserver with Kerberos the client will send a request anonymously, and get a 401 status back. Then it sends the same request again, with authentication, and now get a 200 status back. Is it possible to set up a web application in MVC/JavaScript/etc to know that an anonymous request is futile and go stright for the user authentication request? For a specific case I am using jQuery and AJAX that is pulling data from a server at short intervals.

UPDATE: I want the client to know that there is no use sending an anonymous request, so it can just as well send a request with a username the first time. Why sending an anonymous request in the first place when you absolutely know you will only get a 401 back?

Espen
  • 3,397
  • 11
  • 42
  • 70
  • I do not quite follow - you want to set up the **server** to instruct the **client** to send an auth request in the first place? – AgentFire Nov 21 '13 at 08:22
  • Are you using default [Authorize] attribute? how about create `CustomAttribute : AuthorizeAttribute` class – aifarfa Nov 21 '13 at 08:25
  • You also might want to consider using the `AllowAnonymousAttribute`. – AgentFire Nov 21 '13 at 08:30
  • See my update above. Also I don't want anonymous access to the server. – Espen Nov 21 '13 at 08:42
  • 1
    `I want the client to know that there is no use sending an anonymous request, so it can just as well send a request with a username the first time.` How should client know this thing without any request? – AgentFire Nov 21 '13 at 08:42
  • @AgentFire: Because I know it and I program the web application. – Espen Nov 21 '13 at 08:43

3 Answers3

1

Based on this answer, you should just use beforeSend callback and then add the Authorization header on your own.

Community
  • 1
  • 1
AgentFire
  • 8,224
  • 6
  • 39
  • 84
  • This is it. Any idea how to setup this up with pass-through/windows authentication and not Basic? – Espen Dec 04 '13 at 14:21
1

You are looking for preemptive authentication and this is highly discouraged. Do not send credentials unless the server challenges you otherwise you may reveal secrets to an unknown server.

Michael-O
  • 17,130
  • 6
  • 51
  • 108
0

update as you don't need to allow anonymous access.

You could remove default IIS authentication module and/or add your own custom HttpModule for a specific part

  <location path="PathToWebApi">
    <system.web>
      <httpModules>
        <!-- default IIS HttpModules  -->
        <remove name="WindowsAuthentication"/>
        <remove name="FormsAuthentication"/>
        <remove name="PassportAuthentication"/>
        <remove name="RoleManager"/>
        <remove name="UrlAuthorization"/>
        <remove name="FileAuthorization"/>
        <remove name="AnonymousIdentification"/>
        <remove name="Profile"/>
        <add name="CustomAuthentication" type="Your.NameSpace.CustomAuthentication"/>
      </httpModules>
    </system.web>
    <system.webServer>
      <modules runAllManagedModulesForAllRequests="false">
        <add name="CustomAuthentication" type="Your.NameSpace.CustomAuthentication" preCondition="managedHandler"/>
      </modules>
  </location>

You can implement CustomAuthentication : IHttpModule class that inspect incoming request context and set current user identity depend on your custom logic.

    public void Init(HttpApplication context)
    {
        //add event listener to authenticate Http request
        //context.AuthenticateRequest += new EventHandler(AuthenticateRequest); //Session is null at AuthenticateRequest state
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }
aifarfa
  • 3,838
  • 2
  • 22
  • 34
  • That wont do the thing OP asked for. – AgentFire Nov 21 '13 at 08:52
  • I used custom IHttpModule `PreRequestHandlerExecute` event to check incoming request access token, headers and cookies then decide whether to redirect anonymous access or response a custom JSON message for ajax request. this should serve the purpose. – aifarfa Nov 21 '13 at 09:06
  • I believe the MVC engine does that automatically in case the client has cookies. It is however quite bizarre why the client is lacking ones. – AgentFire Nov 21 '13 at 11:57