| René Nyffenegger's collection of things on the web | |
|
René Nyffenegger on Oracle - Most wanted - Feedback
- Follow @renenyffenegger
|
Authentication with HTTP | ||
|
Client sends normal HTTP request for a resource (URI)
GET /private/financials.doc HTTP/1.1 Accept: application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.1.1:81 Connection: Keep-Alive
Server wants authentication for resource
HTTP/1.1 401 Authorization Required Date: Sat, 28 Aug 2001 22:22:22 GMT Server: Apache/1.3.19 (Unix) WWW-Authenticate: Basic realm="This is a private area" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1
Client (browser) opens (ugly, imho) dialog box to enter username and password with realm string (here: This is a private area)
User enters username and password, client (browser) resubmits augmented with this information:
(If user presses cancel, document along with header is displayed)
GET /private/financials.doc HTTP/1.1 Accept: application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.1.1:81 Connection: Keep-Alive Authorization: Basic ZJZ0p0nDlaQFcyBGtZ==
The string ZJZ0p0nDlaQFcyBGtZ is the base 64 encrypted username followed by a colon (:) followed by the password
The server checks username and password. If ok, server sends required object. If not, server sends resends
401 Authorization Required.
Links
RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
|