COU-646 - Basic IIS authentications could save lives!

Created by Eric Frost 12 Jan 2018, 10:09:44 Updated by Chris Norwood 15 Jan 2018, 07:47:50

Basic Authentication is a widely-used standard web technology that's configured at the web server level - (see https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/basicauthentication).

I have our dev and UAT servers set up successfully with Courier and can transfer content between them using Courier; however in order to do this I've had to switch off Basic Authentication in IIS. The client would like to have this sort of authentication turned on (or some other way of hiding the non-live environments from the world at large other than robots.txt).

As of now I can't seem to find any information on Our, in the issue tracker or how to enable this on stackoverflow. This question has been popping up a few times on Our but there is no definitive answer to this request.

Since the authentication is at the web server level, this would need to be something that happened during the start up of Courier (when the user clicks on the "Courier" node and a location); It's really just an extra step before Courier kicks in and does anything relating to the other location.

Comments

Gareth Evans 14 Jan 2018, 19:34:05

@efrost

I've just done some research and it doesn't look like you can configure the ClientCredentials (to support BasicAuthentication) directly via currently exposed config.

You could create a new class copying CourierWebserviceRepositoryProvider (you would have to decompile this using DotPeek as the methods that need to be changed are marked private) and set the ClientCredentials on the HttpClient in GetWebServiceUrlFollowingRedirects as well as in GetWebservice on repositoryWebservice1.

Then in courier.config, where the repository is defined http://sample.local

Just change the defining type for the repository to your provider (instead of the built in one) which adds the basic authentication onto the relevant HttpClient and SoapHttpClient objects.

Note: I'm not a member of the core team and I'm just giving you a possible workaround. This would lock you into a specific version and prevent upgrades without more work on your side (as you'd need to re-make the provider every time you upgraded) and it would be much better if this was a feature that was added.


Chris Norwood 15 Jan 2018, 07:47:50

Thank you - this is really useful (I'm the one that raised the request originally as a client wants to keep their dev/uat environments hidden, Eric kindly raised the feature request for me).

This would be OK as a workaround initially - I'd much rather see it added as a feature but at least I could meet the requirements initially without too much work.


Priority: Normal

Type: Feature (request)

State: Submitted

Assignee:

Difficulty:

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 3.1.6

Due in version:

Sprint:

Story Points:

Cycle: