Hi folks,

i'm trying to goto the following url :-

http://user1:pass1@localhost:1234/api/users?format=xml

nothing to complex. Notice how i've got the username/password in the url? this, i believe, is for basic authentication.

When I do that, the Request Headers are MISSING the 'Authorize' header. Er... that's not right :(

I have anonymous authentication only setup on the site. I don't want to have anon off and basic turned on .. because not all of the site requires basic.. only a few action methods.

So .. why is this not working? Is this something to do with the fact my code is not sending a 401 challenge or some crap?

For What It's Worth, my site is ASP.NET MVC1 running on IIS7 (and the same thing happens when i run it on cassini).

Update:

If this is an illegal way of calling a resource using basic auth (ala security flaw) .. then is this possible to do, for an ASP.NET MVC website .. per action method (and not the entire site, per say)?