Perhaps I'm missing something, or perhaps .NET is missing something (preferably the former)
When building an application (not exclusively ASP.NET, but such is my situation; specifically an ASP.NET hosted WCF DS) it seems there's no native way to create a NetworkCredential object from an HttpRequest, or any similar request/header container,.
Do we always have to roll our own, or is there some magic tucked away in System.Net.* or System.Web.* with a signature like:
NetworkCredential GetAuthorization(HttpRequest request);
It's trivial I know, but I would assume something standard to the HTTP architecture would be included in something that is otherwise so encompassing (.NET)
So, home-brew string manipulation, or magic method hiding somewhere?
I don't think there's anything built-in; it would be of limited use, since most clients use Kerberos or Digest authentication instead.
However, it's fairly simple to roll your own:
static NetworkCredential ParseBasicAuthorizationHeader(string value)
{
if (string.IsNullOrWhiteSpace(value))
{
return null;
}
if (!value.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
return null;
}
byte[] data = Convert.FromBase64String(value.Substring(6));
value = Encoding.GetEncoding("ISO-8859-1").GetString(data);
int index = value.IndexOf(':');
if (index == -1 || index == 0 || index == value.Length - 1)
{
return null;
}
return new NetworkCredential(
value.Substring(0, index), // Username
value.Substring(index + 1)); // Password
}
Bear in mind that, like all other HTTP headers, the Authorization header is completely controlled by the client, and should therefore be treated as untrusted user input.