HttpClientHandler.Proxy or override XMLHTTP - passing credentials automatically for requests

Question

Hi.   Looking for guidance/recommendation/tips on the best way to gain access to web servers that need credentials.  This will be for Windows 8 non domain joined PC's built using JavaScript/HTML.

The goal is to pass credentials from the PasswordVault automatically for each http request, either from HMTL markup or JavaScript requests.

I can successfully request and store credentials using the password vault, and pull them out and use them for individual XMLHTTP requests but that doesn't help with HTML markup that points to images or resources on these secured servers.  It still prompts me for credentials then (as well as sub domains - foo.example.com) 

I have done a little reading on HttpClientHandler.Proxy and it seems like this might work but was hoping for some input from someone who has experience with this or possibly a better method of doing this.

Thanks in advance.

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 1

Hello,

The HttpClient class will only work for apps/ WinRT component based on the .NET framework, and for HTML/C++, you need to use XHR. Setting the Proxy properties for the HttpClientHandler will not have any effect on XHR requests or requests that arise through the browser.

What exactly are you trying to do? When you say that the credentials work for individual XMLHTTP requests but not for HTML markup, what scenario are you referring to? Are you trying to embed a WebView inside your app that will load the HTML markup or Javascript request for other resources?

Do you have a app code sample of your scenario?

Thanks,

Prashant.

Answer 2

Hi Prashant,

I am just trying to submit credentials for all http requests to a specific domain.

When I said credentials will work for xmlhttp and not markup I mean that I can submit my credentials (on an individual basis) in JavaScript for XMLHTTP, however if I use HTML to call on something (like an img tag) it will still prompt for credentials when hitting a resource that is on a server that requires authentication.  Is there a silver bullet to send credentials for all http requests to a specific domain that is secured?

Example:

        function simpleHttpRequest() {
            var url = "https://foo.example.com";
            var credentials = new retrieveFromPasswordVault();
            var request = new XMLHttpRequest();
            
            request.open("GET", url, true, credentials.userName, credentials.password);
            request.withCredentials = true;
            request.send(null);
            request.onreadystatechange = function () {
                if (request.readyState == 4) {
                    if (request.status == 200) {
                    } else if (failure)
                        failure(request.status, request.statusText);
                }

This works, however I have to use withCredentaisl each time to get the resource.  I would like to do this at a lower level so that it send my credentials automatically.

AND markup

 <img src="https://foo.example.com/awesome.png"/>

would still prompt for credentials too, even though it is the same domain.

I am looking for a way to capture all http traffic to a domain and use my credentials for it.  Similar to the way Enterprise AUthentication works however this application will not be running on domain joined machines.

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 3

Is there any way to do this at a lower level, to send credentials or authenticate before making connections so that we aren't prompted for credentials each time we hit our domain/subdomain via javascript or html?

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 4

Is there any way to authenticate at a lower level than this for the entire app?  There has to be, enterprise authentication does......

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 5

Hello,

I understand your scenario and am researching into your question on whether there is a "credential cache" that will help you.

When you use straight XMLHttp, the credentials you are assigning are valid for that request, rather than the whole app. When the HTML is rendered from the app itself, it does not share credentials with XMLHttp.

On traditional desktop, there is a "Credential Manager" that will let you save generic credentials, but that does not apply for Windows Store apps. I will check further and get back to you.

Btw, what type of authentication is the remote server expecting? Basic?

Thanks,

Prashant.

Answer 6

Thank you. Sorry I wasn't able articulate my requirements but you nailed it. Even if I had to write a Windows Runtime Component I would but not seeing a solution.

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 7

Basic will do, that's how we store it in the password vault.

---

www.techtronic.us - My App www.spaceweatherapp.com

Answer 8

Hi 7echno7im,

There does not appear to be a way to "save" the credentials that will let you automatically sign-in to websites that require Basic authentication during the rendering process. For Enterprise authentication (NTLM or Negotiate), your logged-in credentials can be used automatically, but Basic authentication is a username/password scheme and your logged-in credentials cannot be "automatically" used for Basic authentication.

The credential cache/ PasswordVault & PasswordCredential class only works for user-controlled code, and it is not applicable for the rendering process.

If you have multiple images from the same website, you can enter the credentials once and hit the "save" button and then you won't be prompted for credentials for any other images to that same site.

Thanks,

Prashant.

Answer 9

Thanks Prashant.  That's sad news.  I was hoping that having the password vault api would help somehow, but it seems like it won't in this case.  We are going to use cordova/phone gap and we were hoping to authenticate at a lower level so that all requests would use our domain credentials.

---

www.techtronic.us - My App www.spaceweatherapp.com