Anonymous authentication is well suited for web pages and web services that do not require security or for sites that manage usernames and passwords over a secure (SSL-based encrypted) network connection. In contrast, basic authentication requires that a user provide a valid username and password (one that corresponds to a valid account on the system or domain). When a user visits an active server page that requires basic authentication, the browser will retrieve information from the system about the user’s username and password. The browser will then send the data to the server, which, in turn, will grant or deny the user’s access to the system.
To better understand basic authentication, change the ShowUser web server to require basic authentication by performing these steps:
Within the Internet Services Manager window, click the plus sign that precedes the server and then expand the web server to locate the ShowUser folder. Right-click the folder and choose Properties. Windows will display the folder’s Properties dialog box.
Within the Properties dialog box, select the Directory Security tab. Windows will display the Directory Security sheet. Click the Edit button. Windows will display the Authentication Modes dialog box, shown in Figure 8.3.
Within the Authentication Modes dialog box, remove the checkmark from the check box that precedes the Anonymous Access check box. Then, place a checkmark within the Basic Authentication check box, as shown in Figure 8.4. Then, choose OK.
Windows will display a dialog box warning you about the fact that Basic Authentication sends username and password information as clear text and then asking you if you want to continue. Select Yes.
Next, again use your browser to connect to the ShowUser web service. When you run the Username method, the server will request your browser to provide your credentials. After your browser retrieves and sends the information, the web service will display information about the account to which you are currently logged in. In this case, because you are running the web services on your current system (from localhost), your username and password will also be valid on the web service’s host. As a result, the server can use your username and password information to log you into the system.
Figure 8.4: Assigning basic authentication to the ShowUser web service
If you were instead connecting to the web service from a remote PC, and the server did not have a user account that matched your login information, the server would return an HTTP 401 access denied error, as shown in Figure 8.5.
Although basic authentication provides a way of requiring a user to provide a valid username and password, you should avoid the use of basic authentication because it exposes the username and password to interception by hackers on the Internet. When a program passes a username and password to a server that requires basic authentication, the program will pass the information in plain text (unencrypted). Should a hacker intercept the message, the hacker can view (intercept) the username and password information. As such, you should avoid the use of basic authentication within the web services you create.
Figure 8.5: If you do not provide a valid username and password to a system that requires basic authentication, the server will deny access.