Empty Authorization header leads to 400 error. IIS 7.5

Question

I've found a work around for this, but I have a client with a server that is throwing 400 errors when I make a GET request with an empty Authorization header. It works just fine when there is no Authorization header. I'd like to explain \ or fix the issue, instead of just say I fixed it.

My old code was this:

    request.Headers["Authorization"] = _Request.ServerVariables["HTTP_AUTHORIZATION"] ?? string.Empty;
    request.GetResponse();

I switched to this:

    if (_Request.ServerVariables["HTTP_AUTHORIZATION"] != null)
    {
        request.Headers["Authorization"] = _Request.ServerVariables["HTTP_AUTHORIZATION"];
    }
    request.GetResponse();

Answer 1

You might want to see this question: What is the HTTP_AUTHORIZATION environment variable?

Essentially, when you pass the Authorization header, the server is supposed to use that to test whether the user has access to the underlying resource. By sending the header with a blank value you are essentially telling the server to use blank credentials... which is failing.

When you do not send the Authorization header then the server attempts to use it's default credentials for the resource, which passes.

The way this is supposed to work is:

1. Client requests a resource.
2. Server attempts to deliver resource. If additional authorization is required then a 401 header is sent back with a WWW-Authenticate header.
3. Client prompts user for credentials and resubmits request with Authorization header.
4. Server validates Authorization and, if successful, delivers the resource. If unsuccessful, it will send a 401 again.

Your code should only send the Authorization header IF the remote server responds to the initial request with a 401 and a WWW-Authenticate header. Otherwise that header should not be sent.

More info at: http://en.wikipedia.org/wiki/Basic_access_authentication