HTTP Basic Authentication


HTTP Basic Authentication explained using tomcat as an example

Use case with tomcat with basic authentication.

Most of  you might have used tomcat and tried look at the list of deployed web applications in it . When user clicks on  managed web apps link, a pop up challenge appears in the browser for username and password. User enter credentials and gets the list of deployed apps. 
                                                                                                                                  (Refer appendix A for username password details).


Tomcat challenging for credentials



Few questions this post try to answer.
  1. How does the browser throw a pop up challenge, when a protected page is accessed.
  2. How are user name and password transferred from browser to tomcat server.


Topics:
  1. Tomcat basic authentication flow
  2. Basic authentication HTTP headers
Tomcat basic authentication flow

 Scenario: Lets see the flow between user browser and tomcat server, when a user trying to access a protected page on tomcat server.

Image description: On the left side is a user browser and right side is tomcat server.
basic authentication flow using tomcat

Note: /manager/html is a protected resource in tomcat.

Step 1: (From User Browser To Tomcat Server)
  1. User tries to access a protected page on tomcat. .i.e, (manager/html)
  2. HTTP method used here would be a 'GET' method
  3. A request would contain address of tomcat server as hostname header. please see below http headers that flow during transaction.


Sample http header with Step 1 request and Step 2 response

Step 2: (From Tomcat Server to User Browser)
  1.  As accessed URI ( /manager/html) is protected resources on tomcat, tomcat would check for  credentials along with request.
  2.  No credentials are present with the request, tomcat won't allow the user access the page, instead throws a challenge.
  3. Tomcat needs to challenge the user for credentials. Tomcat should make browser to throw a pop up for credentials as shown in figure 1.
    1. Tomcat will send a HTTP response code 401 to browser. By sending a 401 response code, browser would understand, the request it made was an unauthorized request, browser needs to throw a basic authentication popup for credentials.
    2. Tomcat would additional sends http header  "WWW-Authenticate" with realm name and basic word.
                          WWW-Authenticate: Basic realm="Tomcat Manager Application"
                      
WWW-Authenticate:  Basic. mean tomcat is expecting  credentials in basic authentication format
realm="Tomcat Manager Application" means, then browser throws a pop up, the pop must use "Tomcat ManagerApplication" as name in the popup challenge. please check  figure 1 for details. its a realm name.

Step 3(From User Browser To Tomcat Server)
  1. User would enter the username and password in the pop up challenge.
  2. Browser would  append  username and password with semi colon and would do  a base 64 encoding of the appended string.
      Example : tomcat:s3cret     (username:password)
                            base 64 encoding of username:password would yield
                           (tomcat:s3cret)  base64  value will be  'dG9tY2F0OnMzY3JldA=='
     3. Authorization header "Authorization: Basic"  with base 64 is passed to the server. Basic word in the Authorization header means that  browser is sending the credentials in basic authentication format


Sample HTTP header with Step 3 request and Step 4 response
Step 4:(From Tomcat Server to User Browser)
  1. Tomcat server application would receive the request and check for Authorization header.
  2.  web application would decode the base 64 value of Authorization
  3. Validates the user name and password internally. And allow the actual page.



Basic authentication HTTP headers:

Security headers in basic authentication are 'WWW-authenticate' and 'authorization'.

WWW-Authenticate:
www-authenticate is a response header. Server receives a request for an accessing a protected page and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header.
WWW-Authenticate: <Auth-type> realm="<Custom name for the realm>" 
Custom name for the realm is displayed during challenge.
ex:                          WWW-Authenticate: Basic realm="Tomcat Manager Application".

Authorization Header:


When user wants to send credentials to the server, authorization header is used. It’s a request header and it would look like Authorization: Basic <base 64 encoded credentials>

ex:                                 Authorization: Basic  dG9tY2F0OnMzY3JldA== 

Answers to the questions:

  • How does the browser through a pop up challenge, when page is accessed.
Answer: On accessing a protected page without valid credentials, Server sends a HTTP response code 401, to the browser.  This way browser throws a pop up challenge
  • How are user name and password transmitted from browser to tomcat?
 Answer: User credentials are converted to base 64 format  and are send to server in the HTTP  Authorization request header


Good to know facts:
Appendix A:

Default username and password would be tomcat and s3cret respectively,  provided below lines present in conf\tomcat-users.xml

 <role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>


Appendix B:



Base 64: MIME's Base64 implementation uses AZ, az, and 09 for the first 62 values. 3 octets into 4 encoded characters. Below table is used for encoded values.





Final word..
Thanks to my friends for their support:).

No comments:

Post a Comment