Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

Published byLambert Jacobs Modified over 9 years ago

Similar presentations

Presentation on theme: "The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified."— Presentation transcript:

1 The Basic Authentication Scheme of HTTP

2 Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified by a name and a password Several mechanisms are used for controlling the access to pages on the Web A basic mechanism, provided by HTTP, is called “Basic Authentication Scheme”

3 Basic Authentication Scheme For each URL that the server wishes to restrict, a list of authorized users is maintained Using HTTP headers, the server declares that a the requested page is restricted (authentication is required) The client passes the name and password within a HTTP header The decision on which pages are restricted and to which users is implemented by the server (not a part of HTTP)

4 Basic Authentication Scheme (cont) The user's name and password need to be sent with each request for a protected resource When the server gets a request for a protected resource, it checks whether that request has the HTTP header Authorization: Basic username:password username:password undergoes some non-secure encoding to allow for special characters If the name and password are accepted by the server (i.e., are those of a user that has the privilege to get the page), then the requested page is returned

5 HTTP Basic Mechanism If the request does not have the authorization header or the name and password are not accepted, then the server replies with 401 (unauthorized) A 401 response can have the header WWW-Authenticate: Basic realm="realm-name" That is, "in order to get this resource, you will have to authenticate using the basic method" -Tell the user to supply authentication for pages in realm-name

6 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET E.xsl OK + Content F.xml

7 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp 401 + Basic realm="A" F.xml

8 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp + user:pass OK + Content F.xml

9 Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/A.html + user:pass OK + Content F.xml

10 Browser Cooperation Throughout the session, the browser stores the username and password and automatically sends the authorization header in either one of the following cases: -The requested resource is under the directory of the originally authenticated resource -The browser received 401 from the Web server and the WWW-Authenticate header has the same realm as the previous protected resource

Download ppt "The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
User and Security Management. Security Management in Web Applications.

User and Security Management. Security Management in Web Applications.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Crawling The Web. Motivation By crawling the Web, data is retrieved from the Web and stored in local repositories Most common example: search engines,

Crawling The Web. Motivation By crawling the Web, data is retrieved from the Web and stored in local repositories Most common example: search engines,
Web Site Security Representation and Management of Data on the Web.

Web Site Security Representation and Management of Data on the Web.
Session and Security Management. HTTP Cookies Cookies Cookies are a general mechanism that server-side applications can use to both store and retrieve.

Session and Security Management. HTTP Cookies Cookies Cookies are a general mechanism that server-side applications can use to both store and retrieve.
Web Application Security Representation and Management of Data on the Web.

Web Application Security Representation and Management of Data on the Web.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google