WWW-Authenticate
Download
Report
Transcript WWW-Authenticate
Servlets:
HTTP Request Header Contents
and Responses
HTTP Requests & Responses
1
Road Map
Recap and Overview
Reading HTTP Request Headers
Generating the Server Response
Case Study 1: Search Engines
Case Study 2: Basic Web Security
Restricting by User Name/Password
HTTP Requests & Responses
2
Recap and Overview
HTTP Requests & Responses
3
Overview
Interaction between browser and web
server.
Request
Web
Browser
Response
Web
Server
HTTP Requests & Responses
4
Client Request Data
When a user submits a browser request to a
web server, it sends two categories of data:
Form Data: Data that the user explicitly typed
into an HTML form.
For example: registration information.
HTTP Request Header Data: Data that is
automatically appended to the HTTP Request from
the client.
For example: cookies, browser type, etc,
HTTP Requests & Responses
5
Reading HTTP Request
Headers
HTTP Requests & Responses
6
Sample HTTP Request
A sample HTTP Request to Yahoo.com
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
Host: www.yahoo.com
Connection: Keep-Alive
Tip: Check out:
Cookie: B=2td79o0sjlf5r&b=2
http://www.web-sniffer.net
HTTP Requests & Responses
7
Accessing HTTP Headers
As in the SnoopServlet Example:
To access any of these Headers, use the
HTTPServletRequest getHeader() method.
For example:
To retrieve a list of all the Header Names, use the
getHeaderNames() method.
String connection = req.getHeader(“Connection”);
getHeaderNames() returns an Enumeration object.
For example:
Enumeration enum = req.getHeaderNames();
HTTP Requests & Responses
8
Additional HTTP Information
getMethod()
getRequestURI()
Indicates the request method, e.g. GET or POST.
Returns the part of the URL that comes after the
host and port. For example, for the URL:
http://randomhost.com/servlet/search, the
request URI would be /servlet/search.
getProtocol()
Returns the protocol version, e.g. HTTP/1.0 or
HTTP/1.1
HTTP Requests & Responses
9
Reading Browser Types
The User-Agent HTTP header indicates
the browser and operating system.
For example:
user-agent Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)
You can use this header to differentiate
browser types or simply log browser
requests.
HTTP Requests & Responses
10
Example User-Agents
Internet Explorer:
Mozilla
user-agent Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)
Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.4) Gecko/20030624
For strange historical reasons, IE
identifies itself as “Mozilla”
HTTP Requests & Responses
11
Generating the Server
Response
HTTP Requests & Responses
12
Sample HTTP Response
As a refresher, here’s a sample HTTP response:
HTTP/1.1 200 OK
Date: Mon, 06 Dec 2004 20:54:26 GMT
Server: Apache/1.3.6 (Unix)
Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT
Content-length: 327
Connection: close
Content-type: text/html
<title>Sample Homepage</title>
<img src="/images/oreilly_mast.gif">
<h1>Welcome</h2>Hi there, this is a simple web page.
it may…
HTTP Requests & Responses
Granted,
13
Generating Responses
Servlets can return any HTTP response
they want.
Useful for lots of scenarios:
Redirecting to another web site.
Restricting access to approved users.
Specifying content-type other than
text/html.
Return images instead of HTML.
HTTP Requests & Responses
14
Setting the HTTP Status Code
Normally, your Servlet will return an HTTP Status
code of: 200 OK to indicate that everything went
fine.
To return a different status code, use the
setStatus() method of the HttpServletResponse
object.
Be sure to set the status code before sending any
document content to the client.
HTTP Requests & Responses
15
Using setStatus()
setStatus takes an integer value. But, it’s best to use the
predefined integers in the HttpServletResponse. Here are a
few:
SC_BAD_REQUEST
Status code (400) indicating the request sent by the client
was syntactically incorrect.
SC_FORBIDDEN
Status code (403) indicating the server understood the
request but refused to fulfill it.
SC_INTERNAL_SERVER_ERROR
Status code (500) indicating an error inside the HTTP server
which prevented it from fulfilling the request.
SC_NOT_FOUND
Status code (404) indicating that the requested resource is
not available. HTTP Requests & Responses
16
Sending Redirects
You can redirect the browser to a different URL by
issuing a Moved Temporarily Status Code:
SC_MOVED_TEMPORARILY: Status code
(302) indicating that the resource has
temporarily moved to another location.
Because this is so common, the HttpServletResponse
interface also has a sendRedirect() method.
Example:
res.sendRedirect( “http://www.yahoo.com”);
HTTP Requests & Responses
17
Example: Search Engines
HTTP Requests & Responses
18
Multiple Search Engines
SearchEngines Servlet
Enables users to submit a search query to
one of four search engines.
Google
AllTheWeb
Yahoo
AltaVista, etc.
The code exploits the HTTP Response Header
to redirect the user to the correct search
engine.
HTTP Requests & Responses
19
Architecture
“I want to search for
Bill Gates on Google”
SearchEngines
Servlet
“Go to Google”
Web
Browser
“I want to search for
Bill Gates on Google”
Google
“Your results…”
HTTP Requests & Responses
20
SearchSpec.java
The SearchSpec object contains information
about connecting to a specific search engine
public String makeURL (String searchString, String
numResults)
You provide this method with a search string and
the number of results, and it returns the URL and
search query specific to Google, Yahoo, HotBot,
etc.
Class is contained in SearchEngines.java on acad
HTTP Requests & Responses
21
SearchUtilities.java
The SearchUtilities.java code has an
array of SearchSpec objects: one for
Google, one for Yahoo, etc.
It also provides a makeUrl method…
HTTP Requests & Responses
22
SearchEngines.java
The main servlet code.
This code:
Extracts the searchEngine parameter.
If no such parameter exists, it sends an
HTTP Error.
Otherwise, it calls SearchUtilities to
construct the correct URL.
Finally, it redirects the user to this new
URL.
HTTP Requests & Responses
23
Example: Basic Web Security
HTTP Requests & Responses
24
HTTP Authentication
The HTTP Protocol Includes a built-in
authentication mechanism.
Useful for protecting web pages or servlets
that require user name / password access.
First, let’s examine the basic mechanism and
the HTTP Headers involved.
Then, let’s figure out how to build a servlet
that exploits this mechanism.
HTTP Requests & Responses
25
Basic Authentication
1)
If a web page is protected, the Web Server
will issue an authentication “challenge”:
HTTP/1.1 401 Authorization Required
Date: Sun, 27 Aug 2000 17:51:25 GMT
Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0
mod_ssl/2.6.6 OpenSSL/0.9.5a
WWW-Authenticate: BASIC realm="privileged-few"
Keep-Alive: timeout=90, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
HTTP Requests & Responses
26
WWW-Authenticate
WWW-Authenticate: BASIC realm=“realm"
When you issue a return status code of 401,
“Authorization Required”, you need to tell the browser
what type of authentication is required.
You do this via the WWW-Authenticate Header. This
header has two parameters:
BASIC: Basic authorization requiring user name
and password.
Realm: you can create multiple “realms” of
authentication for different users, e.g. “Admin”,
“User”, “Super_User”, etc.
HTTP Requests & Responses
27
Basic Authentication Cont.
Upon receiving an authentication challenge, the
browser will prompt the user with a pop-up box
requesting the user name and password.
Browser takes the “username:password” from
the user and encrypts it using the Base 64
Encoding Algorithm.
2)
3)
For example: if the string is “marty:martypd”, the Base 64
string is “bWFydHk6bWFydHlwdw==”
We will not cover the details of Base 64, but remember that
Base 64 is easy to decode. Therefore, even if your page is
protected, someone can easily intercept your Base 64
string and decode it.
HTTP Requests & Responses
28
Basic Authentication Cont.
4)
The browser reissues the request for the
page. In the HTTP request, the browser
indicates the Authorization string:
GET /servlet/coreservlets.ProtectedPage HTTP/1.1
Accept: image/gif, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
Host: www.ecerami.com
Connection: Keep-Alive
Authorization: Basic bWFydHk6bWFydHlwdw==
HTTP Requests & Responses
29
Basic Authentication Cont.
Web Server checks the user name and
password.
5.
If User Name/Password is correct, web
server displays the protected page.
If the User Name/Password is incorrect,
web server issues a second
authentication challenge.
HTTP Requests & Responses
30
Almost there…
Before we examine the actual servlet
code, there are two pieces of Java
coding we need to examine:
sun.misc.BASE64Decoder.
java.util.Properties
HTTP Requests & Responses
31
Base 64 Encoding
Sun provides a class called:
sun.misc.BASE64Decoder.
You can use the decodeBuffer() method to
decode the Base 64 String sent from the
user:
String userInfo = “bWFydHk6bWFydHlwdw==”
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
After this code, nameAndPassword will be set to “marty:martypd”
HTTP Requests & Responses
32
java.util.Properties
A utility class for reading in property files.
For example, suppose you have the following
password.properties file:
#Passwords
#Sat Aug 26 11:15:42 EDT 2000
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
bj=bjpw
HTTP Requests & Responses
33
java.util.Properties
You can easily and automatically load
the password file and parse its
contents:
passwordFile = "passwords.properties";
passwords = new Properties();
passwords.load(new FileInputStream(passwordFile));
Then, you can extract the password for
a specific user name:
String password = properties.getProperty ("marty“);
HTTP Requests & Responses
34
ProtectedPage.java
Here’s how the Servlet Works:
1) Initialization: Read in a Password file of valid
user names and passwords.
2) Check for the HTTP Authorization Header.
3) Decode the Authorization Header using Base 64
to obtain user name and password.
4) Check the User Name and Password against the
valid names list.
If valid, show protected page.
Else, issue another authentication challenge.
HTTP Requests & Responses
35
Form Authentication System
BASE64 not secure
Need secure solution!
Use HTML form
Example: FormAuthenticate
Access of servlet attempts to access protected data
User redirected to login form web page
Example takes any combination
Once authenticated, redirected to desired page
Session object used to store desired destination during
login diversion
HTTP Requests & Responses
36
Summary
Lots of hidden HTTP data, including
headers and cookies are sent from
browser to the server.
HTTP Header data can also be sent
from server to the browser, e.g. error
codes, redirection codes, etc.
HTTP Requests & Responses
37