Interacting with Networks and Databases - Beginning Java 7

Java Reference

In-Depth Information

Authentication

RFC 1945: Hypertext Transfer Protocol—HTTP/1.0 ( http://www.ietf.org/

rfc/rfc1945.txt ) informs you about HTTP 1.0 providing a simple challenge-re-

sponse mechanism that a server can use to challenge a client's request to access some

resource. Furthermore, the client can use this mechanism to provide credentials (typ-

icallyusernameandpassword)that authenticate (prove)theclient'sidentity.Whenthe

suppliedcredentialssatisfytheserver,theuseris authorized (allowed)toaccessthere-

source.

To challenge a client, the originating server issues a “401 Unauthorized” message.

Thismessageincludesa WWW-Authenticate HTTPheaderthatidentifiesan authen-

tication scheme (the approach taken to achieve authentication) via a case-insensitive

token .Acomma-separatedsequenceofattribute/valuepairsfollowsthetokentosupply

scheme-specificparametersnecessaryforperformingauthentication.Theclientreplies

with an Authorization header that provides the credentials.

Note HTTP1.1madeitpossibletoauthenticateaclientwithaproxy.Tochallenge

aclient,aproxyserverissuesa“407ProxyAuthenticationRequired”message,which

includesa Proxy-Authenticate header.Aclientrepliesviaa Proxy-Author-

ization header.

Basic Authentication and the Authenticator Class

HTTP1.0introducedthe basic authentication scheme bywhichaclientidentifiesitself

via a username and a password. The basic authentication scheme works as follows:

• The WWW-Authenticate headerspecifies Basic asthetokenandasingle

realm=" quoted string " pairthatidentifiesthe realm (aprotectedspace

towhicharesourcebelongs,suchasaspecificgroupofwebpages)referredto

by the browser address.

• In response to this header, the browser displays a dialog box in which a user-

name and password are entered.

• Once entered, the username and password are concatenated into a string (a

colon is inserted between the username and password), the string is

base64-encoded,andtheresultisplacedinan Authorization headerthat's

sentbacktotheserver.(Tolearnmoreaboutbase64encoding,checkoutWiki-

pedia's Base64 entry at http://en.wikipedia.org/wiki/Base64 .)

• The server base64-decodes these credentials and compares them to values

storedinitsusername/passworddatabase.Whenthere'samatch,theapplication

Search WWH ::

Custom Search

Home