Securing the HTTP Communication


This section provides information on how to use the CAtlHttpClient class to issue authenticated HTTP requests and how to perform secure HTTPS communication.

Authentication

CAtlHttpClient supports two authentication schemes: Basic Authentication (based on username and password) and NTLM (Windows credentials) authentication. Additional authentication schemes can be supported, or different implementations for the supported schemes can be used, but you ll have to provide classes for handling the authentication objects. These authentication objects have to be derivatives of CAtlBaseAuthObject .

The HTTP client class contains a map of authentication objects indexed by the authentication scheme that they support. Such a map might contain at a given moment objects to support different forms of authentication. For example, it may contain a CNTLMAuthObject for the NTLM authentication scheme and a CBasicAuthObject for the Basic Authentication scheme. When the server attempts to authenticate the client, the CAtlHttpClient code will walk the list of authentication objects and try to find one that matches the server requirements.

The code for adding authentication to an HTTP client generally looks like this:

 CAtlHttpClient     client;  CNTLMAuthObject authObj;  if( !client.AddAuthObject(ATL_HTTP_AUTHTYPE_NTLM, &authObj) )  {      // error handling here  } 

This code supports the NTLM authentication scheme by using the credentials of the current running thread (which are most likely the credentials of the currently logged user ).

To provide the credentials of an alternate user, or to retrieve authentication information for a user, you can use an implementation of the IAuthInfo interface either in the construction of the authentication object or passed as a third parameter to AddAuthObject . IAuthInfo exposes methods that return the username, the password, and the authentication domain, and this information is further used by the authentication object. Such an implementation might invoke a username/password dialog box or load this information from a different source. You must use an IAuthInfo implementation for Basic Authentication.

Secure Communication (HTTPS)

HTTPS isn t directly supported by the ATL Server HTTP client. The designers considered that the most common scenario for using ATL Server in a client application is a SOAP client, and alternate solutions for HTTPS are available in SOAP ( CSoapWininetClient and CSoapMSXMLInetClient both are wrapping HTTP stacks that support HTTPS).

However, if a given application requires HTTPS support and using CAtlHttpClient , you can accomplish this by implementing a socket wrapper class that hides the HTTPS layer from the CAtlHttpClient class.

As we stated at the beginning of this chapter, CAtlHttpClient is defined as

 typedef CAtlHttpClientT<ZEvtSyncSocket> CAtlHttpClient; 

ZEvtSyncSocket is the default socket wrapper class, which doesn t support HTTPS. However, by creating a custom class that supports it (say, CSecureSyncSocket ), you can define an HTTPS-enabled HTTP client as follows :

 typedef CAtlHttpClientT<CSecureSyncSocket> CAtlHttpsClient; 

You can find an example of this in the MSDN documentation, in the SecureSOAP sample ( ms-help://MS.VSCC/MS.MSDNVS/vcsample/html/vcsamSecureSOAPSample.htm ). In this sample, the solution described previously is used for implementing SOAP HTTPS communication with a CAtlHttpClientT class.




ATL Server. High Performance C++ on. NET
Observing the User Experience: A Practitioners Guide to User Research
ISBN: B006Z372QQ
EAN: 2147483647
Year: 2002
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net