Java Reference
In-Depth Information
Authentication
RFC 1945: Hypertext Transfer Protocol—HTTP/1.0 (
http://www.ietf.org/
rfc/rfc1945.txt
)
informs you about HTTP 1.0 providing a simple challenge-re-
sponse mechanism that a server can use to challenge a client's request to access some
resource. Furthermore, the client can use this mechanism to provide
credentials
(typ-
icallyusernameandpassword)that
authenticate
(prove)theclient'sidentity.Whenthe
suppliedcredentialssatisfytheserver,theuseris
authorized
(allowed)toaccessthere-
source.
To challenge a client, the originating server issues a “401 Unauthorized” message.
Thismessageincludesa
WWW-Authenticate
HTTPheaderthatidentifiesan
authen-
tication scheme
(the approach taken to achieve authentication) via a case-insensitive
token
.Acomma-separatedsequenceofattribute/valuepairsfollowsthetokentosupply
scheme-specificparametersnecessaryforperformingauthentication.Theclientreplies
with an
Authorization
header that provides the credentials.
Note
HTTP1.1madeitpossibletoauthenticateaclientwithaproxy.Tochallenge
aclient,aproxyserverissuesa“407ProxyAuthenticationRequired”message,which
includesa
Proxy-Authenticate
header.Aclientrepliesviaa
Proxy-Author-
ization
header.
Basic Authentication and the Authenticator Class
HTTP1.0introducedthe
basic authentication scheme
bywhichaclientidentifiesitself
via a username and a password. The basic authentication scheme works as follows:
• The
WWW-Authenticate
headerspecifies
Basic
asthetokenandasingle
realm="
quoted string
"
pairthatidentifiesthe
realm
(aprotectedspace
towhicharesourcebelongs,suchasaspecificgroupofwebpages)referredto
by the browser address.
• In response to this header, the browser displays a dialog box in which a user-
name and password are entered.
• Once entered, the username and password are concatenated into a string (a
colon is inserted between the username and password), the string is
base64-encoded,andtheresultisplacedinan
Authorization
headerthat's
sentbacktotheserver.(Tolearnmoreaboutbase64encoding,checkoutWiki-
• The server base64-decodes these credentials and compares them to values
storedinitsusername/passworddatabase.Whenthere'samatch,theapplication