Web Server Design

Week 10

Old Dominion UniversityDepartment of Computer Science

CS 495/595 Spring 2010

Martin Klein <mklein@cs.odu.edu>

3/17/10

Authentication: Basic & Digest

♣ Defined in RFC-2617♣ Basic

♣ very simple

♣ sends password in the clear (very bad)

♣ suitable for personalization; not real security

♣ Digest♣ uses cryptographic hashes; password not sent in the clear

♣ stronger than Basic, but client support not as prevalent

♣ does not encrypt content…♣ SSL, SHTTP or equivalent needed for that

Authentication Structure

♣ Both methods are structurally similar:♣ when the server receives a request for a

protected resource, it responds with:♣ status code “401 Unauthorized”♣ “WWW-Authenticate:” response header

♣ the client reissues the same request with the addition of:♣ “Authorization:” request header

Basic

♣ “Authorization:” request header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

♣ “WWW-Authenticate:” response header:

WWW-Authenticate: Basic realm=”St. Patrick’s Day"

auth type opaque string to differentiate auth files

auth type Base64(username:password)

Scenario

client serverGET shamrock HTTP/1.1

401 UnauthorizedWWW-Authenticate: Basic realm=“Paddy’s Day”

GET foo HTTP/1.1Authorization: Basic St.Patrick:HolyTrinity

St.Patrick:HolyTrinity would be base64’d

200 OK

scenario 2: the client could have sent the Authorization string with the initial request

How Apache Does It…(Note: we’re not going to do it this way!)

♣ In either <Directory> entries in the config file, or “.htaccess” files in directories:AuthType Basic AuthName "This is what RFC 2617 calls a Domain" AuthUserFile /usr/local/apache/passwd/passwords Require user St.Patrick

♣ Many more options possible:♣ http://httpd.apache.org/docs/2.0/howto/auth.html

Authentication Example(mln-web:~/public_html/restricted) mklein% ls -altotal 12drwxr-xr-x 2 mklein sshd 136 Mar 10 17:49 .drwxr-xr-x 7 mklein sshd 336 Mar 10 17:48 ..-rw-r--r-- 1 mklein sshd 125 Mar 10 17:48 .htaccess-rwxr-xr-x 1 mklein sshd 93 Mar 10 17:49 encode.pl-rw-r--r-- 1 mklein sshd 24 Mar 10 17:48 paddys.txt

(mln-web:~/public_html/restricted) mklein% more .htaccess AuthType Basic AuthName "It's St.Patrick's Day, Lads - pwd required" AuthUserFile /home/mklein/cs595passwdRequire user st.patrick

(mln-web:~/public_html/restricted) mklein% more encode.pl #!/usr/bin/perl

use MIME::Base64;

$str = encode_base64(”st.patrick:shamrock");print "$str\n";

(mln-web:~/public_html/restricted) mklein% ./encode.pl c3QucGF0cmljazpzaGFtcm9jaw==

Request #1

bookpower:~ mk$ telnet mln-web.cs.odu.edu 80Trying 128.82.4.82...Connected to mln-web.cs.odu.edu.Escape character is '^]'.HEAD /~mklein/restricted/ HTTP/1.1Host: mln-web.cs.odu.eduConnection: close

HTTP/1.1 401 Authorization RequiredDate: Wed, 10 Mar 2010 22:50:35 GMTServer: ApacheWWW-Authenticate: Basic realm="It's St.Patrick's Day, Lads - pwd required"Connection: closeContent-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

Request #2

bookpower:~ mk$ telnet mln-web.cs.odu.edu 80Trying 128.82.4.82...Connected to mln-web.cs.odu.edu.Escape character is '^]'.HEAD /~mklein/restricted/ HTTP/1.1Host: mln-web.cs.odu.eduConnection: closeAuthorization: Basic c3QucGF0cmljazpzaGFtcm9jaw==

HTTP/1.1 200 OKDate: Wed, 10 Mar 2010 22:51:37 GMTServer: ApacheConnection: closeContent-Type: text/html;charset=ISO-8859-1

Connection closed by foreign host.

Why Not a “403 Forbidden” ?

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.