Esempio n. 1
0
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            try
            {
                var request = actionContext.Request;
                if (actionContext.Request.Headers.Authorization == null)
                {
                    // first request from client will not have any auth headers
                    UnauthorizedResponse(actionContext);
                }
                else
                {
                    var header = new Header(request.Headers.Authorization.Parameter, request.Method.Method);

                    if (Nonce.IsValid(header.Nonce, header.NounceCounter))
                    {
                        // here would go your code to check username / password against your user data store.
                        // I´m just gonna say that the credentials are valid if the username and password are the same for the purpose of the exercise.
                        string password = header.UserName;

                        string ha1 = $"{header.UserName}:{header.Realm}:{password}".ToMD5Hash();
                        string ha2 = $"{header.Method}:{header.Uri}".ToMD5Hash();
                        string computedResponse = $"{ha1}:{header.Nonce}:{header.NounceCounter}:{header.Cnonce}:{"auth"}:{ha2}".ToMD5Hash();

                        if (string.CompareOrdinal(header.Response, computedResponse) == 0)
                        {
                            // Computed digest matches the value sent by the client, we can create a principal here and pass authentication.
                            AuthenticationHelper.SetCurrentPrincipal(actionContext, header.UserName, password);
                        }
                        else // auth failure
                        {
                            UnauthorizedResponse(actionContext);
                        }
                    }
                    else // nonce failure
                    {
                        actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
                    }
                }
            }
            catch (Exception)
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.InternalServerError);
            }
        }