Interacting with Networks and Databases - Beginning Java 7

Java Reference

In-Depth Information

fault(Authenticator a) class method must be called to install an instance of

the Authenticator subclass for the entire Java Virtual Machine (JVM).

Aftertheauthenticatorhasbeeninstalled,theJVMwillinvokeoneof Authentic-

ator 's requestPasswordAuthentication() methods, which in turn invokes

theoverriding getPasswordAuthentication() method,whentheHTTPserver

requires basic authentication. This can be seen in the following output, which proves

that the server has granted access to the resource (sort of):

Password requested from test.webdav.org for authentication

scheme basic

null: HTTP/1.1 404 Not Found

Date: Mon, 19 Sep 2011 03:09:11 GMT

Content-Length: 209

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

Server: Apache/2.0.54 (Debian GNU/Linux) DAV/2 SVN/1.3.2

404

Thisoutputshowsthatauthorizationhassucceeded.However,italsoshowsthatthe

resource cannot be found. (I guess one can't have everything.)

Digest Authentication

Because the basic authentication scheme assumes a secure and trusted connection

betweenclientandserver,ittransmitscredentialsintheclear(there'sno encryption [the

process of transforming information, referred to as plaintext, via an algorithm known

as a cipher, into something unreadable except to those possessing special knowledge,

usuallyreferredtoasa key ]);base64canbereadilydecoded),makingiteasyforeaves-

droppers to access this information. For this reason, HTTP 1.1, which is described

in RFC 2616: Hypertext Transfer Protocol—HTTP/1.1 ( http://www.ietf.org/

rfc/rfc2616.txt ) , introduced the digest authentication scheme to deal with the

basic authentication scheme's lack of security. According to this scheme, the WWW-

Authenticate headerspecifies Digest asthetoken.Italsospecifiesthe realm="

quoted string " attribute pair.

Thedigestauthenticationschemeuses MD5 ,whichisaone-waycryptographichash-

ing algorithm, to encrypt the password. It also uses server-generated one-time nonces

(valuesthatvarywithtime,suchastimestampsandvisitorcounters)toprevent replay

(alsoknownas man-in-the-middle )attacks.Althoughthepasswordissecure,therestof

Search WWH ::

Custom Search

Home