The transport level security stuff is designed to work with Windows
authentication, not custom authentication. It is intended to plug into the
auth mechanisms supported by IIS, not custom protocols.
That said, if you really must use the CredentialCache with HttpWebRequest,
you will essentially want to implement your own Basic authentication
protocol as you'll probably need plaintext passwords, right?
Essentially, you would disable authentication in IIS (set to anonymous).
Then, you would implement an HTTP module that handles the BeginRequest
method and checks for the presense of a Basic authentication header. If one
is not present, you would set the status code to 401 and add the proper
www-authenticate header to the return response and call CompleteRequest.
Then, in a separate event handler for the module (AuthenticateRequest), you
would read the basic authentication header, extract user name and password
and authenticate against your data source as appropriate. If the user is
authenticated, you would create some kind of a GenericPrincipal for the user
and associate it with the HttpContext.User property. If not, you would send
it back again.
Then, in web.config, you would set up authorization to only allow
authenticated users, and you should be all set.
I'd suggest reading up on basic authentication in the RFC spec and doing
some network or http header sniffing so you can see how it works and what
the headers look like.
You will also need to decide whether to lockout accounts after too many bad
password attempts and whether to allow more than X attempts to authenticate
a certain user in a certain period of time. A lot of this depends on how
secure you need this to be and how resistant to hacking you want to make it.
Best of luck,
Joe K.
