I'd like to implement a REST api to an existing ASP.NET MVC website. I've managed to set up WCF Data services so that I can browse my data, but now the question is how to handle authentication.
Right now the data service is secured via the site's built in forms authentication, and that's ok when accessing the service from AJAX forms. However, It's not ideal for a RESTful api.
What I would like as an alternative to forms authentication is for the users to simply embed the user name and password into the url to the web service or as request parameters.
For example, if my web service is usually accessible as
http://localhost:1234/api.svc
I'd like to be able to access it using the url
http://localhost:1234/api.svc/{login}/{password}
So, my questions are as follows:
Is this a sane approach?
If yes, how can I implement this?
It seems trivial redirecting GET requests so that the login and password are attached as GET parameters. I also know how to inspect the http context and use those parameters to filter the results. But I am not sure if / how the same approach could be applied to POST, PUT and DELETE requests. Can I use GET parameters in POST, PUT and DELETE requests?
Edit: The question for me how to embed login and password into the web service's URL so that I can perform POST, PUT and DELETE requests against the web service. I do know how to implement authentication once the web service is running and the login / password are contained somewhere in the HTTPContext. Also, I am not looking for ways to implement forms or basic authentication. I know how to do it, but it is not what I am looking for.
In the end I used a threefold approach, either of these authentication methods work fine on my data service: