Enabling Digest Authentication in OpenRasta

There has been much discussion and questioning lately on the OpenRasta group about how to provide Digest Authentication for an OpenRasta site. There are examples out there but nothing with a downloadable working solution. This post will walk through some of the details of how to add support to OpenRasta to allow for Digest Authentication.

Before we get started

Some details of how OpenRasta work need to be discussed as it provides a rich feature set to allow for extension. Based on my experience with the code base and talking with other developers involved in the project here is my interpretation of some of the core features of OpenRasta. These may be incorrect and if so feel free to leave a comment and I'll attempt to rectify the gaps in my knowledge.

The Pipeline

This is a fundamental concept in the structure of the OpenRasta framework. It provides an entry point for almost anything, allowing a developer to jump in at any point in the pipeline and perform some operation.

Digest Authentication (for OpernRasta version 2.0.3214.437)

OpenRasta provides a way for a developer to quickly support authentication by using Digest Authentication. This is built right in to the pipeline by default, but will only get invoked if there is an instance of IAuthenticationProvider registered in the IoC container.

A working example

Below follows a very simple example of a Visual Studio 2010 project that is based on the current RTM of OpenRasta. It implements the required IAuthenticationProvider interface and is just a showcase for how to use Digest Authentication. The source code for this sample solution can be found here: http://github.com/scottlittlewood/OpenRastaDigestDemo

Make sure your web.config has the following line:

<authentication mode="None"/>

Implement IAuthenticationProvider:

public class AccountDigestAuthenticationProvider : IAuthenticationProvider
{
    private readonly IUserCredentials _users;

    public AccountDigestAuthenticationProvider(IUserCredentials users)
    {
        _users = users;
    }

    public Credentials GetByUsername(string username)
    {
        return _users.GetCredentialsFor(username);
    }
}

Configure OpenRasta:

public class Configuration : IConfigurationSource
{
    public void Configure()
    {
        using (OpenRastaConfiguration.Manual)
        {
            ResourceSpace.Uses.CustomDependency<IUserCredentials, UserCredentials>(DependencyLifetime.Singleton);
            ResourceSpace.Uses.CustomDependency<IAccounts, Accounts>(DependencyLifetime.Singleton);

            // registering an instance of IAuthenticationProvider causes the digest authentication to be invoked.
            // it does a check internally whthere there is on in the DI resolver.
            ResourceSpace.Uses.CustomDependency<IAuthenticationProvider, AccountDigestAuthenticationProvider>(DependencyLifetime.Singleton);

            ResourceSpace.Has.ResourcesOfType<HomeResource>()
                .AtUri("/home")
                .And.AtUri("/")
                .HandledBy<HomeHandler>()
                .RenderedByAspx("~/Views/HomeView.aspx");

            ResourceSpace.Has.ResourcesOfType<AccountResource>()
                .AtUri("/my-account")
                .HandledBy<AccountHandler>()
                .RenderedByAspx("~/Views/AccountView.aspx");
        }
    }
}

Create your resource:

public class AccountResource
{
    public decimal Balance { get; private set; }
    public string AccountHolder { get; private set; }

    public AccountResource(string accountHolder, decimal balance)
    {
        AccountHolder = accountHolder;
        Balance = balance;
    }

    public AccountResource(Account account)
    {
        Balance = account.Balance;
        AccountHolder = account.AccountHolder;
    }
}

Decorate your protected handler/operations:

/// 

/// Force the user to provide authentication for ALL operations on this handler
/// 
[RequiresAuthentication]
public class AccountHandler
{
    private readonly IAccounts _accounts;

    // will be injected by the IoC built in to openrasta
    public ICommunicationContext Context { get; set; }

    // OpenRasta will inject these dependancies
    public AccountHandler(IAccounts accounts)
    {
        _accounts = accounts;
    }

    public OperationResult Get()
    {
        // get the account for the logged in user
        var username = Context.User.Identity.Name;
        var account = _accounts.GetForUser(username);

        var accountResource = new AccountResource(account);

        if (account == null)
            return new OperationResult.NotFound();

        // return their bank account balance
        return new OperationResult.OK(accountResource);
    }
}

Notes

The OpenRasta Digest implementation requires that the username and password are stored in clear text as internally it calculates the relevant digest parameters. A more configurable implementation should be possible.

Supporting Basic Authentication

We had a requirement for adding support for Basic Authentication in OpenRasta and took a step towards generalising the authentication process in OpenRasta, making it extensible and configurable. I'll be discussing this in a later post. The source code for this branch can be found on my github account: http://github.com/scottlittlewood/openrasta-stable