Learning The "J"

Home » JAVA Learning » JAVA EE » HTTP Authentication

Category Archives: HTTP Authentication

HTTP Basic access authentication

Basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication implementation is one of the easiest ways to secure web pages because it doesn’t require cookies, session handling, or the development of login pages. Rather, HTTP Basic authentication uses static headers which means that no handshakes have to be done in anticipation. Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted.

Server side Protocol

When the server wants the user agent to authenticate itself towards the server, it can send a request for authentication.
This request should be sent using the HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.

The WWW-Authenticate header for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm=”insert realm”

Client side Protocol

When the user agent wants to send the server authentication credentials it may use the Authorization header.

The Authorization header is constructed as follows:

Username and password are combined into a string “username:password”
The resulting string literal is then encoded using Base64
The authorization method and a space i.e. “Basic ” is then put before the encoded string.

For example, if the user agent uses ‘Aladdin’ as the username and ‘open sesame’ as the password then the header is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Here is a full working code in context of Restfull Web Services