IIS rewrite rule for basic auth on the querystring

Question

I am trying to automatically log in users to an Xwiki install via basic auth. This is because help is stored in the wiki, but we want the retrieval process to be transparent to the user.

We push the user off to a url (via an <a> tag) like: http://username:password@xwiki.example.org/xwiki/bin/view/Main?basicauth=1

This works fine in every browser except Internet Explorer (see: http://support.microsoft.com/kb/834489. Unfortunately, 80% of our user base uses Internet Explorer and it is not an option to have them type in the credentials manually.

Currently, we have IIS 7.5 sitting in front of Xwiki and proxying all requests to the Tomcat instance on another server. This works fine. To solve my problem, I thought I could use a IIS rewrite rule to turn a url like this:

http://xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

into this:

http://username:password@xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password

The idea being that IIS would substitute the _username/_password querystring parameters into the URL and pass it off to Tomcat, and Xwiki would ignore the extra parameters.

I have created a URL rewrite rule like:

<rule name="BasicAuthRewrite" enabled="true">
   <match url="https?://(.+)&amp;?_username=(.+)&amp;_password=(.+)" />
   <action type="Rewrite" url="http://{R:2}:{R:3}@xwiki.example.org/{R:1}" />
</rule>

When I go 'Test pattern' in IIS and supply my url, all the backreferences ({R:x}) match up to the data I want. However, when I visit the URL in my browser, the rewrite rule fails to invoke.

Is there any way I can achieve my desired behaviour?

Answer 1

It is possible to do Basic authentication with URL rewrite on IIS. You should add the server variable HTTP_Authorization the value Basic followed by the username:password in base64. Remember to add the variable in the allowed variables

So for the user Aladdin with the password open sesame you the format would be Aladdin:open sesame and base64 encoded QWxhZGRpbjpvcGVuIHNlc2FtZQ==.

Which translates into Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

<rule name="SomeName" stopProcessing="true">
    <match url="url/to/match" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
    <action type="Rewrite" url="http://www.redirecturl.com/" appendQueryString="true" />
    <serverVariables>
        <set name="HTTP_Authorization" value="Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" />
    </serverVariables>
</rule>

Answer 2

This should do:

<rule name="BasicAuthRewrite" stopProcessing="true">
    <match url="(.*)" />
    <conditions trackAllCaptures="true">
        <add input="{QUERY_STRING}" pattern="basicauth=1&amp;_username=(.+)&amp;_password=(.+)" />
    </conditions>
    <action type="Rewrite" url="http://{C:1}:{C:2}@xwiki.example.org/{R:1}" appendQueryString="false" />
</rule>

Answer 3

Authorization cannot be delegated to ARR. Therefore, if the contents are highly sensitive in nature and require authorization, it is recommended that you do not enable cache. ARR

But there is work around solution.

Solution

Answer 4

It appears this is not possible in IIS.