A few months back I was given a task to put in basic authentication into Sitecore 9.3. It was mainly from preventing anyone to get into staging sites. I came across and older blog that is currently missing. I wanted to give them credit since it was the inspiration for this blog. You can find the original blog post on the web archives here. I have made some of my own updates including Rules Based Configuration.

using System;
using System.Web;
using Sitecore.Diagnostics;
using Sitecore.Pipelines.HttpRequest;
using System.Text;
using System.Net.Http.Headers;
using System.Linq;

namespace Abc.SharedSource.SitecoreProcessors
{
    public class BasicAuthentication : HttpRequestProcessor
    {
        private bool CheckPassword(string username, string password)
        {
            string[] userlist = Sitecore.Configuration.Settings.GetSetting("BasicAuthUsername").Split(',');
            string[] passwords = Sitecore.Configuration.Settings.GetSetting("BasicAuthPassword").Split(',');

            if(userlist.Contains(username) && passwords.Contains(password))
            {
                return true;
            }
            else
            {
                return false;
            }
        }

        private void AuthenticateUser(string credentials)
        {
            try
            {
                var encoding = Encoding.GetEncoding("iso-8859-1");
                credentials = encoding.GetString(Convert.FromBase64String(credentials));

                int separator = credentials.IndexOf(':');
                string name = credentials.Substring(0, separator);
                string password = credentials.Substring(separator + 1);
             
                if (!CheckPassword(name, password))
                {
                    HttpContext.Current.Response.StatusCode = 401;
                }
            }
            catch
            {
                HttpContext.Current.Response.StatusCode = 401;
            }
        }
        //Basic Auth Code End

        public override void Process(HttpRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            if (Sitecore.Context.Item != null || Sitecore.Context.Database == null || args.Url.ItemPath.Length == 0)
                return;

            if (Sitecore.Configuration.Settings.GetSetting("TurnonBasicAuth") != "True" || Sitecore.Configuration.Settings.GetSetting("TurnonBasicAuth") == "") return;
            if (PatternMatch()) return;
            var request = args.HttpContext.Request;

            var authHeader = request.Headers["Authorization"];
            if (authHeader != null)
            {
                var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);

                // RFC 2617 sec 1.2, "scheme" name is case-insensitive
                if (authHeaderVal.Scheme.Equals("basic",
                        StringComparison.OrdinalIgnoreCase) &&
                    authHeaderVal.Parameter != null)
                {
                    AuthenticateUser(authHeaderVal.Parameter);
                }
            }
            else
            {
                args.HttpContext.Response.StatusCode = 401;
            }

            if (HttpContext.Current.Response.StatusCode == 401)
            {
                string Realm = Sitecore.Context.Site.TargetHostName;//HttpContext.Current.Request.Url.AbsoluteUri;
                args.HttpContext.Response.Clear();
                args.HttpContext.Response.Headers.Add("WWW-Authenticate",
                    string.Format("Basic realm=\"{0}\"", Realm));
                args.HttpContext.Response.Flush();
                args.HttpContext.Response.End();
            }
        }
        bool PatternMatch()
        {         
            string[] mockUrls = Sitecore.Configuration.Settings.GetSetting("ExcludedPaths").Split(',');
            string url = Sitecore.Context.Site.TargetHostName;// HttpContext.Current.Request.Url.AbsoluteUri;
            foreach (var urlval in mockUrls)
            {
                var containsurl = url.Contains(urlval);
                if(containsurl)
                {
                    return true;
                }
            }
            return false;
        }
    }
}

Since this is Sitecore 9.3 the configuration below is using rules based. 🙂 More than likely you would want to require the ContentManagement role, but you can modify the configuration to use any roles and environments. I put the username and settings in the configuration since Sitecore will also have its own and in this case is only for preventing anyone who accidently finds the site from seeing anything.

<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:localenv="http://www.sitecore.net/xmlconfig/localenv/" xmlns:role="http://www.sitecore.net/xmlconfig/role/">
<sitecore role:require="ContentManagement, Standalone">
    <pipelines localenv:require="DevBuild or LocalDeveloper">
      <httpRequestBegin>
        <processor type="Abc.SharedSource.SitecoreProcessors.BasicAuthentication, BrookfieldResidential.Extensions"
						   patch:before="processor[@type='Sitecore.Pipelines.HttpRequest.UserResolver, Sitecore.Kernel']"/>
      </httpRequestBegin>
    </pipelines>
    <settings localenv:require="DevBuild or LocalDeveloper">
      <setting name="TurnonBasicAuth" value="True"></setting>
      <setting name="ExcludedPaths" value="media,layouts,speak,/sitecore,/sitecore/admin,brpsc.dev.local/about" />
      <setting name="BasicAuthUsername" value="UserTest1,TestUser2,TesUser3" />
      <setting name="BasicAuthPassword" value="testpass1,testpass2,testpass3" />
    </settings>
  </sitecore>
</configuration>

You should then get the default login screen that looks like this: