Self-hosted site based on HttpListener — how to handle authentication?
https://stackoverflow.com/questions/7933078
-
16-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
If you are building a self-hosted web page around HttpListener, how can you handle authentication in a secure way? I don't want to use Basic Authentication because it passes credentials as clear text. I know that digest is another option,
listener = new HttpListener();
listener.Prefixes.Add(url);
listener.AuthenticationSchemes = AuthenticationSchemes.Digest;
listener.Start();
Is it secure enough and what are the standard / best practices for actually grabbing the username/password and authenticating them?
In this situation there is no web.config or hosting environment by default.
Solução
Using authentication with HttpListener means having Windows do your authentication for you using its built-in authentication system (i.e. ActiveDirectory). This means for digest authentication you need to create domain accounts for your users. Is this what you were intending? If you want to do your own custom authentication, that's a more complicated matter. I won't go into how to do that unless you say that's what you want to do.
Outras dicas
I would consider implementing support for claimsbased security. You would have to handle security tokens, but the actual user authentication can be "outsourced" to external identity providers.
You could probably leverage Windows Identity Foundation (WIF) for handling most of the work.
