The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
WEB2P security Java web application security Dr Jim Briggs.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
User and Security Management. Security Management in Web Applications.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Crawling The Web. Motivation By crawling the Web, data is retrieved from the Web and stored in local repositories Most common example: search engines,
Web Site Security Representation and Management of Data on the Web.
Session and Security Management. HTTP Cookies Cookies Cookies are a general mechanism that server-side applications can use to both store and retrieve.
Web Application Security Representation and Management of Data on the Web.
Hypertext Transport Protocol CS Dick Steflik.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
APACHE SERVER By Innovationframes.com »
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
FTP File Transfer Protocol. Introduction transfer file to/from remote host client/server model  client: side that initiates transfer (either to/from.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Session 11: Security with ASP.NET
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Department of Computer Science & Engineering San Jose State University
Module 11: Securing a Microsoft ASP.NET Web Application.
1 Caching in HTTP Representation and Management of Data on the Internet.
Web Database Programming Week 7 Session Management & Authentication.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
PHP-based Authentication
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
Web Server.
How to maintain state in a stateless web Shirley Cohen
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
Security Management in Web Applications. We all know this page...
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
The Common Gateway Interface (CGI) Pat Morin COMP2405.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Authentication & .htaccess
Understanding the Internet
CAS and Web Single Sign-on at UConn
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
Hypertext Transport Protocol
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
ITM 352 Cookies.
Web Systems Development (CSC-215)
Web Systems Development (CSC-215)
HTTP GET vs POST SE-2840 Dr. Mark L. Hornick.
Kevin Harville Source: Webmaster in a Nutshell, O'Rielly Books
Web Server Design Week 11 Old Dominion University
Presentation transcript:

The Basic Authentication Scheme of HTTP

Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified by a name and a password Several mechanisms are used for controlling the access to pages on the Web A basic mechanism, provided by HTTP, is called “Basic Authentication Scheme”

Basic Authentication Scheme For each URL that the server wishes to restrict, a list of authorized users is maintained Using HTTP headers, the server declares that a the requested page is restricted (authentication is required) The client passes the name and password within a HTTP header The decision on which pages are restricted and to which users is implemented by the server (not a part of HTTP)

Basic Authentication Scheme (cont) The user's name and password need to be sent with each request for a protected resource When the server gets a request for a protected resource, it checks whether that request has the HTTP header Authorization: Basic username:password username:password undergoes some non-secure encoding to allow for special characters If the name and password are accepted by the server (i.e., are those of a user that has the privilege to get the page), then the requested page is returned

HTTP Basic Mechanism If the request does not have the authorization header or the name and password are not accepted, then the server replies with 401 (unauthorized) A 401 response can have the header WWW-Authenticate: Basic realm="realm-name" That is, "in order to get this resource, you will have to authenticate using the basic method" -Tell the user to supply authentication for pages in realm-name

Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET E.xsl OK + Content F.xml

Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp Basic realm="A" F.xml

Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp + user:pass OK + Content F.xml

Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/A.html + user:pass OK + Content F.xml

Browser Cooperation Throughout the session, the browser stores the username and password and automatically sends the authorization header in either one of the following cases: -The requested resource is under the directory of the originally authenticated resource -The browser received 401 from the Web server and the WWW-Authenticate header has the same realm as the previous protected resource

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.