Basic Authentication with #Sitecore 9.3

A few months back I was given a task to put in basic authentication into Sitecore 9.3. It was mainly from preventing anyone to get into staging sites. I came across and older blog that is currently missing. I wanted to give them credit since it was the inspiration for this blog. You can find the original blog post on the web archives here. I have made some of my own updates including Rules Based Configuration.

using System;
using System.Web;
using Sitecore.Diagnostics;
using Sitecore.Pipelines.HttpRequest;
using System.Text;
using System.Net.Http.Headers;
using System.Linq;

namespace Abc.SharedSource.SitecoreProcessors
{
    public class BasicAuthentication : HttpRequestProcessor
    {
        private bool CheckPassword(string username, string password)
        {
            string[] userlist = Sitecore.Configuration.Settings.GetSetting("BasicAuthUsername").Split(',');
            string[] passwords = Sitecore.Configuration.Settings.GetSetting("BasicAuthPassword").Split(',');

            if(userlist.Contains(username) && passwords.Contains(password))
            {
                return true;
            }
            else
            {
                return false;
            }
        }

        private void AuthenticateUser(string credentials)
        {
            try
            {
                var encoding = Encoding.GetEncoding("iso-8859-1");
                credentials = encoding.GetString(Convert.FromBase64String(credentials));

                int separator = credentials.IndexOf(':');
                string name = credentials.Substring(0, separator);
                string password = credentials.Substring(separator + 1);
             
                if (!CheckPassword(name, password))
                {
                    HttpContext.Current.Response.StatusCode = 401;
                }
            }
            catch
            {
                HttpContext.Current.Response.StatusCode = 401;
            }
        }
        //Basic Auth Code End

        public override void Process(HttpRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            if (Sitecore.Context.Item != null || Sitecore.Context.Database == null || args.Url.ItemPath.Length == 0)
                return;

            if (Sitecore.Configuration.Settings.GetSetting("TurnonBasicAuth") != "True" || Sitecore.Configuration.Settings.GetSetting("TurnonBasicAuth") == "") return;
            if (PatternMatch()) return;
            var request = args.HttpContext.Request;

            var authHeader = request.Headers["Authorization"];
            if (authHeader != null)
            {
                var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);

                // RFC 2617 sec 1.2, "scheme" name is case-insensitive
                if (authHeaderVal.Scheme.Equals("basic",
                        StringComparison.OrdinalIgnoreCase) &&
                    authHeaderVal.Parameter != null)
                {
                    AuthenticateUser(authHeaderVal.Parameter);
                }
            }
            else
            {
                args.HttpContext.Response.StatusCode = 401;
            }

            if (HttpContext.Current.Response.StatusCode == 401)
            {
                string Realm = Sitecore.Context.Site.TargetHostName;//HttpContext.Current.Request.Url.AbsoluteUri;
                args.HttpContext.Response.Clear();
                args.HttpContext.Response.Headers.Add("WWW-Authenticate",
                    string.Format("Basic realm=\"{0}\"", Realm));
                args.HttpContext.Response.Flush();
                args.HttpContext.Response.End();
            }
        }
        bool PatternMatch()
        {         
            string[] mockUrls = Sitecore.Configuration.Settings.GetSetting("ExcludedPaths").Split(',');
            string url = Sitecore.Context.Site.TargetHostName;// HttpContext.Current.Request.Url.AbsoluteUri;
            foreach (var urlval in mockUrls)
            {
                var containsurl = url.Contains(urlval);
                if(containsurl)
                {
                    return true;
                }
            }
            return false;
        }
    }
}

Since this is Sitecore 9.3 the configuration below is using rules based. 🙂 More than likely you would want to require the ContentManagement role, but you can modify the configuration to use any roles and environments. I put the username and settings in the configuration since Sitecore will also have its own and in this case is only for preventing anyone who accidently finds the site from seeing anything.

<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:localenv="http://www.sitecore.net/xmlconfig/localenv/" xmlns:role="http://www.sitecore.net/xmlconfig/role/">
<sitecore role:require="ContentManagement, Standalone">
    <pipelines localenv:require="DevBuild or LocalDeveloper">
      <httpRequestBegin>
        <processor type="Abc.SharedSource.SitecoreProcessors.BasicAuthentication, BrookfieldResidential.Extensions"
						   patch:before="processor[@type='Sitecore.Pipelines.HttpRequest.UserResolver, Sitecore.Kernel']"/>
      </httpRequestBegin>
    </pipelines>
    <settings localenv:require="DevBuild or LocalDeveloper">
      <setting name="TurnonBasicAuth" value="True"></setting>
      <setting name="ExcludedPaths" value="media,layouts,speak,/sitecore,/sitecore/admin,brpsc.dev.local/about" />
      <setting name="BasicAuthUsername" value="UserTest1,TestUser2,TesUser3" />
      <setting name="BasicAuthPassword" value="testpass1,testpass2,testpass3" />
    </settings>
  </sitecore>
</configuration>

You should then get the default login screen that looks like this:

4 thoughts on “Basic Authentication with #Sitecore 9.3

  1. Hi @reilleyweb, this feature is very interesting and I think this could be a good solution for my needs. I Implement that for my site, but even if I am redirected to a page /login.aspx?returnUrl= I never see the defult login screen. Is there some attention I have to pay?

    Like

    • There might be a setting on your IIS stopping it since it is just the built in authentication. Not sure what setting would block. Assume you checked it, but could be a pop up blocker causing the issue. Check and see your browser network tab/console and see if anything is showing up. I implemented this over a year ago, but still should work.

      Like

      • No popup blocking. I think issue is that, I send a 401 response, but in the browser i receive a 302 redirect to login.aspx

        Like

Leave a Reply to sitecorerunner (@reilleyweb) Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s