HTTP Basic Authentication explained using tomcat as an example
Use case with tomcat with basic authentication.
Most of you might have used tomcat and tried look at the list of deployed web applications in it . When user clicks on managed web apps link, a pop up challenge appears in the browser for username and password. User enter credentials and gets the list of deployed apps.
(Refer appendix A for username password details).
Tomcat challenging for credentials |
Few questions this post try to answer.
- How does the browser throw a pop up challenge, when a protected page is accessed.
- How are user name and password transferred from browser to tomcat server.
Topics:
Tomcat basic authentication flow - Tomcat basic authentication flow
- Basic authentication HTTP headers
Scenario: Lets see the flow between user browser and tomcat server, when a user trying to access a protected page on tomcat server.
Image description: On the left side is a user browser and right side is tomcat server.
Step 1: (From User Browser To Tomcat Server)
- User tries to access a protected page on tomcat. .i.e, (manager/html)
- HTTP method used here would be a 'GET' method
- A request would contain address of tomcat server as hostname header. please see below http headers that flow during transaction.
Sample http header with Step 1 request and Step 2 response |
Step 2: (From Tomcat Server to User Browser)
- As accessed URI ( /manager/html) is protected resources on tomcat, tomcat would check for credentials along with request.
- No credentials are present with the request, tomcat won't allow the user access the page, instead throws a challenge.
- Tomcat needs to challenge the user for credentials. Tomcat should make browser to throw a pop up for credentials as shown in figure 1.
- Tomcat will send a HTTP response code 401 to browser. By sending a 401 response code, browser would understand, the request it made was an unauthorized request, browser needs to throw a basic authentication popup for credentials.
- Tomcat would additional sends http header "WWW-Authenticate" with realm name and basic word.
WWW-Authenticate: Basic. mean tomcat is expecting credentials in basic authentication format
realm="Tomcat Manager Application" means, then browser throws a pop up, the pop must use "Tomcat ManagerApplication" as name in the popup challenge. please check figure 1 for details. its a realm name.
Step 3: (From User Browser To Tomcat Server)
realm="Tomcat Manager Application" means, then browser throws a pop up, the pop must use "Tomcat ManagerApplication" as name in the popup challenge. please check figure 1 for details. its a realm name.
Step 3: (From User Browser To Tomcat Server)
- User would enter the username and password in the pop up challenge.
- Browser would append username and password with semi colon and would do a base 64 encoding of the appended string.
base 64 encoding of username:password would yield
(tomcat:s3cret) base64 value will be 'dG9tY2F0OnMzY3JldA=='
3. Authorization header "Authorization: Basic" with base 64 is passed to the server. Basic word in the Authorization header means that browser is sending the credentials in basic authentication format
Sample HTTP header with Step 3 request and Step 4 response |
- Tomcat server application would receive the request and check for Authorization header.
- web application would decode the base 64 value of Authorization
- Validates the user name and password internally. And allow the actual page.
Basic authentication HTTP headers:
Security headers in basic authentication are 'WWW-authenticate' and 'authorization'.
WWW-Authenticate:
www-authenticate is a response header. Server receives a request for an accessing a protected page and an
acceptable Authorization header is not sent, the server responds with
a "401 Unauthorized" status code, and a WWW-Authenticate header.
WWW-Authenticate: <Auth-type> realm="<Custom name for the realm>"
Custom name for the realm is displayed during challenge.
ex: WWW-Authenticate: Basic realm="Tomcat Manager Application".
Authorization Header:
Authorization Header:
When
user wants to send credentials to the server, authorization header is used. It’s
a request header and it would look like Authorization: Basic <base 64
encoded credentials>
ex: Authorization: Basic dG9tY2F0OnMzY3JldA==
Answers to the questions:
- How does the browser through a pop up challenge, when page is accessed.
- How are user name and password transmitted from browser to tomcat?
Good to know facts:
Appendix A:Default username and password would be tomcat and s3cret respectively, provided below lines present in conf\tomcat-users.xml
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
Appendix B:
Base
64: MIME's
Base64 implementation uses A–Z, a–z, and 0–9 for the first 62
values. 3 octets into 4 encoded characters. Below table is used for encoded
values.
Final word..
Thanks to my friends for their support:).
No comments:
Post a Comment