Java Reference
In-Depth Information
fault(Authenticator a)
class method must be called to install an instance of
the
Authenticator
subclass for the entire Java Virtual Machine (JVM).
Aftertheauthenticatorhasbeeninstalled,theJVMwillinvokeoneof
Authentic-
ator
's
requestPasswordAuthentication()
methods, which in turn invokes
theoverriding
getPasswordAuthentication()
method,whentheHTTPserver
requires basic authentication. This can be seen in the following output, which proves
that the server has granted access to the resource (sort of):
Password requested from test.webdav.org for authentication
scheme basic
null: HTTP/1.1 404 Not Found
Date: Mon, 19 Sep 2011 03:09:11 GMT
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2
404
Thisoutputshowsthatauthorizationhassucceeded.However,italsoshowsthatthe
resource cannot be found. (I guess one can't have everything.)
Digest Authentication
Because the basic authentication scheme assumes a secure and trusted connection
betweenclientandserver,ittransmitscredentialsintheclear(there'sno
encryption
[the
process of transforming information, referred to as
plaintext,
via an algorithm known
as a
cipher,
into something unreadable except to those possessing special knowledge,
usuallyreferredtoasa
key
]);base64canbereadilydecoded),makingiteasyforeaves-
droppers to access this information. For this reason, HTTP 1.1, which is described
in RFC 2616: Hypertext Transfer Protocol—HTTP/1.1 (
http://www.ietf.org/
rfc/rfc2616.txt
)
, introduced the
digest authentication scheme
to deal with the
basic authentication scheme's lack of security. According to this scheme, the
WWW-
Authenticate
headerspecifies
Digest
asthetoken.Italsospecifiesthe
realm="
quoted string
" attribute pair.
Thedigestauthenticationschemeuses
MD5
,whichisaone-waycryptographichash-
ing algorithm, to encrypt the password. It also uses server-generated one-time
nonces
(valuesthatvarywithtime,suchastimestampsandvisitorcounters)toprevent
replay
(alsoknownas
man-in-the-middle
)attacks.Althoughthepasswordissecure,therestof