IT350 Web and Internet Programming SlideSet #18: HTTP Authentication - - PDF document

1

SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html

IT350 Web and Internet Programming

Outline

• HTTP Basic Authentication
• HTTP Digest Authentication

2

HTTP Authentication

Client Server

Authentication?

Basic Authentication Demo

3

Basic Authentication

• Client 

GET /secret.html HTTP/1.0

•  Server

HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm=“secret files“ Content-Length: 0

• Client 

GET /secret.html HTTP/1.0 Authorization: Basic dXNlcjpwYXNzd29yZA==

• Notes:

How to set up Basic Authentication

• Have mod_auth_basic enabled on web server
• Create password file (not on web accessible path)

htpasswd –c myfile myuser

• Configure server to ask for credentials
• Ex. In .htaccess

AuthType Basic AuthName myrealm AuthBasicProvider file AuthUserFile myfile Require valid-user

http://httpd.apache.org/docs/2.2/howto/auth.html

4

Lab Exercise

• ssh into mope.academy.usna.edu
• Create password file basicUsers.txt in your home dir (not web accessible) for

your user mXXXXXX

htpasswd –c basicUsers.txt mXXXXXX

• From Windows or Unix: Create new folder BasicSecret in your public_html

folder

• Save starter page starter.html from website in BasicSecret
• Create .htaccess file in BasicSecret with content

AuthType Basic AuthName "Restricted files for basic" AuthBasicProvider file AuthUserFile /home/mids/mXXXXXX/basicUsers.txt Require valid-user

• In browser:

http://mope.academy.usna.edu/~mXXXXXX/BasicSecret/starter.html

• Might need to change permissions for basicUsers.txt – in Unix

setfacl –m u:www-data:rx basicUsers.txt

Base64 Encoding

• Encoding binary to text (NOT encryption)
• Uses 64 characters (6 bits needed to represent each

symbol)

• To encode user:password

– Concatenate ASCII binary representation for each character – If nb of bytes not multiple of 3, add one or two all-zero bytes – Separate each 3 8-bits (byte) block in 4 6-bits blocks – Translate each 6-bit block to the Base64 character – If the 6-bit block was all from the padding, translate to =

http://en.wikipedia.org/wiki/Base64

5

ASCII table: http://www.rapidtables.com/code/text/ascii-table.htm

ICE: Encode “it350”

6

ICE: Decode aXQzNTA6dGVzdA== Digest Authentication

• Similar with basic authentication BUT
• Passwords are not sent in plain (base64) text
• Based on challenge-response authentication

– Uses MD5 hash

7

Digest Authentication – Part 1

• Client 

GET /secret.html HTTP/1.0

•  Server

HTTP/1.1 401 Access Denied WWW-Authenticate: Digest realm="Restricted", nonce=“SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", algorithm=MD5, qop="auth" Content-Length: 0

Digest Authentication – Part 2

• Client 

GET /secret.html HTTP/1.0 Authorization: Digest username=“johnny", realm="Restricted", nonce="SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", uri="/secret.html", algorithm=MD5, response="ffd5ebb687c6198ef663e43b25a32d0e", qop=auth, nc=00000001, cnonce="80ddead374b429b7“ Pros: Cons:

8

How to set up Digest Authentication

• Have mod_auth_digest enabled on web server
• Create password file (not on web accessible path)

htdigest –c myfile myrealm myuser

• Configure server to ask for credentials
• Ex. In .htaccess

AuthType Digest AuthName myrealm AuthDigestProvider file AuthUserFile myfile Require valid-user

http://httpd.apache.org/docs/2.2/howto/auth.html

Other types of authentication

• NTLM Authentication
• Certificates Authentication
• Integrated Windows Authentication
• Form-based authentication