Transcript WWW-Authenticate

Servlets:
HTTP Request Header Contents
and Responses
HTTP REQUESTS & RESPONSES
1
Road Map
Recap and Overview
Reading HTTP Request Headers
Generating the Server Response
Case Study 1: Search Engines
Case Study 2: Basic Web Security
◦ Restricting by User Name/Password
HTTP REQUESTS & RESPONSES
2
Recap and
Overview
HTTP REQUESTS & RESPONSES
3
Overview
Interaction between browser and web server.
Request
Web
Browser
Response
Web
Server
HTTP REQUESTS & RESPONSES
4
Client Request Data
When a user submits a browser request to a web
server, it sends two categories of data:
◦ Form Data: Data that the user explicitly typed into an
HTML form.
◦ For example: registration information.
◦ HTTP Request Header Data: Data that is automatically
appended to the HTTP Request from the client.
◦ For example: cookies, browser type, etc,
HTTP REQUESTS & RESPONSES
5
Reading HTTP
Request Headers
HTTP REQUESTS & RESPONSES
6
Sample HTTP Request
A sample HTTP Request to Yahoo.com
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
Host: www.yahoo.com
Connection: Keep-Alive
Cookie: B=2td79o0sjlf5r&b=2
Tip: Check out:
http://www.web-sniffer.net
HTTP REQUESTS & RESPONSES
7
Accessing HTTP Headers
As in the SnoopServlet Example:
To access any of these Headers, use the
HTTPServletRequest getHeader() method.
For example:
◦ String connection = req.getHeader(“Connection”);
To retrieve a list of all the Header Names, use the
getHeaderNames() method.
◦ getHeaderNames() returns an Enumeration object.
For example:
◦ Enumeration enum = req.getHeaderNames();
HTTP REQUESTS & RESPONSES
8
Additional HTTP Information
getMethod()
◦ Indicates the request method, e.g. GET or POST.
getRequestURI()
◦ Returns the part of the URL that comes after the host and
port. For example, for the URL:
http://randomhost.com/servlet/search, the request URI
would be /servlet/search.
getProtocol()
◦ Returns the protocol version, e.g. HTTP/1.0 or HTTP/1.1
HTTP REQUESTS & RESPONSES
9
Reading Browser Types
The User-Agent HTTP header indicates the browser and operating
system.
For example:
◦ user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
You can use this header to differentiate browser types or simply log
browser requests.
HTTP REQUESTS & RESPONSES
10
Example User-Agents
Internet Explorer:
◦ user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla
◦ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
For strange historical reasons, IE identifies itself as “Mozilla”
HTTP REQUESTS & RESPONSES
11
Generating the
Server Response
HTTP REQUESTS & RESPONSES
12
Sample HTTP Response
As a refresher, here’s a sample HTTP response:
HTTP/1.1 200 OK
Date: Mon, 06 Dec 2004 20:54:26 GMT
Server: Apache/1.3.6 (Unix)
Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT
Content-length: 327
Connection: close
Content-type: text/html
<title>Sample Homepage</title>
<img src="/images/oreilly_mast.gif">
<h1>Welcome</h2>Hi there, this is a simple web page.
HTTP REQUESTS & RESPONSES
Granted, it may…
13
Generating Responses
Servlets can return any HTTP response they want.
Useful for lots of scenarios:
◦
◦
◦
◦
Redirecting to another web site.
Restricting access to approved users.
Specifying content-type other than text/html.
Return images instead of HTML.
HTTP REQUESTS & RESPONSES
14
Setting the HTTP Status Code
Normally, your Servlet will return an HTTP Status code of:
200 OK to indicate that everything went fine.
To return a different status code, use the setStatus()
method of the HttpServletResponse object.
Be sure to set the status code before sending any
document content to the client.
HTTP REQUESTS & RESPONSES
15
Using setStatus()
setStatus takes an integer value. But, it’s best to use the predefined
integers in the HttpServletResponse. Here are a few:
SC_BAD_REQUEST
◦ Status code (400) indicating the request sent by the client was
syntactically incorrect.
SC_FORBIDDEN
◦ Status code (403) indicating the server understood the request but
refused to fulfill it.
SC_INTERNAL_SERVER_ERROR
◦ Status code (500) indicating an error inside the HTTP server which
prevented it from fulfilling the request.
SC_NOT_FOUND
◦ Status code (404) indicating that the requested resource is not available.
HTTP REQUESTS & RESPONSES
16
Sending Redirects
You can redirect the browser to a different URL by issuing a
Moved Temporarily Status Code:
◦ SC_MOVED_TEMPORARILY: Status code (302) indicating that the
resource has temporarily moved to another location.
Because this is so common, the HttpServletResponse
interface also has a sendRedirect() method.
◦ Example:
res.sendRedirect( “http://www.yahoo.com”);
HTTP REQUESTS & RESPONSES
17
Example: Search
Engines
HTTP REQUESTS & RESPONSES
18
Multiple Search Engines
SearchEngines Servlet
Enables users to submit a search query to one of
four search engines.
◦ Google
◦ AllTheWeb
◦ Yahoo
◦ AltaVista, etc.
The code exploits the HTTP Response Header to
redirect the user to the correct search engine.
HTTP REQUESTS & RESPONSES
19
Architecture
“I want to search for
Bill Gates on Google”
SearchEngines
Servlet
“Go to Google”
Web
Browser
“I want to search for
Bill Gates on Google”
Google
“Your results…”
HTTP REQUESTS & RESPONSES
20
SearchSpec.java
The SearchSpec object contains information about
connecting to a specific search engine
◦ public String makeURL (String searchString, String
numResults)
◦ You provide this method with a search string and the
number of results, and it returns the URL and search
query specific to Google, Yahoo, HotBot, etc.
◦ Class is contained in SearchEngines.java on acad
HTTP REQUESTS & RESPONSES
21
SearchUtilities.java
The SearchUtilities.java code has an array of SearchSpec objects: one
for Google, one for Yahoo, etc.
It also provides a makeUrl method…
HTTP REQUESTS & RESPONSES
22
SearchEngines.java
The main servlet code.
This code:
◦
◦
◦
◦
Extracts the searchEngine parameter.
If no such parameter exists, it sends an HTTP Error.
Otherwise, it calls SearchUtilities to construct the correct URL.
Finally, it redirects the user to this new URL.
HTTP REQUESTS & RESPONSES
23
Example: Basic
Web Security
HTTP REQUESTS & RESPONSES
24
HTTP Authentication
The HTTP Protocol Includes a built-in
authentication mechanism.
Useful for protecting web pages or servlets that
require user name / password access.
First, let’s examine the basic mechanism and the
HTTP Headers involved.
Then, let’s figure out how to build a servlet that
exploits this mechanism.
HTTP REQUESTS & RESPONSES
25
Basic Authentication
1)
If a web page is protected, the Web Server will issue an
authentication “challenge”:
HTTP/1.1 401 Authorization Required
Date: Sun, 27 Aug 2000 17:51:25 GMT
Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6
OpenSSL/0.9.5a
WWW-Authenticate: BASIC realm="privileged-few"
Keep-Alive: timeout=90, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
HTTP REQUESTS & RESPONSES
26
WWW-Authenticate
WWW-Authenticate: BASIC realm=“realm"
When you issue a return status code of 401,
“Authorization Required”, you need to tell the browser what
type of authentication is required.
You do this via the WWW-Authenticate Header. This header
has two parameters:
◦ BASIC: Basic authorization requiring user name and
password.
◦ Realm: you can create multiple “realms” of
authentication for different users, e.g. “Admin”, “User”,
“Super_User”, etc.
HTTP REQUESTS & RESPONSES
27
Basic Authentication Cont.
2)
Upon receiving an authentication challenge, the
browser will prompt the user with a pop-up box
requesting the user name and password.
3)
Browser takes the “username:password” from the user
and encrypts it using the Base 64 Encoding Algorithm.
◦
◦
For example: if the string is “marty:martypd”, the Base 64 string
is “bWFydHk6bWFydHlwdw==”
We will not cover the details of Base 64, but remember that
Base 64 is easy to decode. Therefore, even if your page is
protected, someone can easily intercept your Base 64 string and
decode it.
HTTP REQUESTS & RESPONSES
28
Basic Authentication Cont.
4)
The browser reissues the request for the page. In the HTTP
request, the browser indicates the Authorization string:
GET /servlet/coreservlets.ProtectedPage HTTP/1.1
Accept: image/gif, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
Host: www.ecerami.com
Connection: Keep-Alive
Authorization: Basic bWFydHk6bWFydHlwdw==
HTTP REQUESTS & RESPONSES
29
Basic Authentication Cont.
5.
Web Server checks the user name and password.
◦
◦
If User Name/Password is correct, web server displays the protected
page.
If the User Name/Password is incorrect, web server issues a second
authentication challenge.
HTTP REQUESTS & RESPONSES
30
Almost there…
Before we examine the actual servlet code, there are two pieces of Java
coding we need to examine:
◦ sun.misc.BASE64Decoder.
◦ java.util.Properties
HTTP REQUESTS & RESPONSES
31
Base 64 Encoding
Sun provides a class called: sun.misc.BASE64Decoder.
You can use the decodeBuffer() method to decode the
Base 64 String sent from the user:
String userInfo = “bWFydHk6bWFydHlwdw==”
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
After this code, nameAndPassword will be set to “marty:martypd”
HTTP REQUESTS & RESPONSES
32
java.util.Properties
A utility class for reading in property files.
For example, suppose you have the following
password.properties file:
#Passwords
#Sat Aug 26 11:15:42 EDT 2000
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
bj=bjpw
HTTP REQUESTS & RESPONSES
33
java.util.Properties
You can easily and automatically load the password file and parse its
contents:
passwordFile = "passwords.properties";
passwords = new Properties();
passwords.load(new FileInputStream(passwordFile));
Then, you can extract the password for a specific user name:
String password = properties.getProperty ("marty“);
HTTP REQUESTS & RESPONSES
34
ProtectedPage.java
Here’s how the Servlet Works:
1) Initialization: Read in a Password file of valid user
names and passwords.
2) Check for the HTTP Authorization Header.
3) Decode the Authorization Header using Base 64 to
obtain user name and password.
4) Check the User Name and Password against the valid
names list.
◦
◦
If valid, show protected page.
Else, issue another authentication challenge.
HTTP REQUESTS & RESPONSES
35
Form Authentication System
BASE64 not secure
◦ Need secure solution!
Use HTML form
◦ Example: FormAuthenticate
◦ Access of servlet attempts to access protected data
◦ User redirected to login form web page
◦ Example takes any combination
◦ Once authenticated, redirected to desired page
◦ Session object used to store desired destination during login diversion
HTTP REQUESTS & RESPONSES
36
Summary
Lots of hidden HTTP data, including headers and cookies are sent from
browser to the server.
HTTP Header data can also be sent from server to the browser, e.g.
error codes, redirection codes, etc.
HTTP REQUESTS & RESPONSES
37