Http Basic Authentication and Tomcat.

There are two steps involved any web application’s security. Authentication and Authorization. Authentication involves whether the client is the same which he is claiming to be.  Once authorization is done its goes to Authorization which involves whether the authenticated user is entitled to access the requested resource.

There are following four ways to configure authentication in web application:-

  1. Basic Authentication.
  2. Digest Authentication.
  3. Form Based Authentication.
  4. Client-Cert.

Basic Authentication is the simplest form of authentication. When a client try to access any protected resource the browser prompts a login/password dialog box to enter login/password. Once user enters login/password the entered value is compared with the login/password of realm configured in web server and if matched user is authenticated successfully.

Following four steps are involved in Basic Authentication:-

  1. Client Requests a protected resource.

Http request:-

GET /private/index.html HTTP/1.0

Host: localhost

  1. Server checks the requested file and found that this is a protected resource and send back the response to authenticate the client.

Http Response:-

HTTP/1.0 401 Authorization Required

Server: HTTPd/1.0

Date: Sat, 27 Nov 2004 10:18:15 GMT

WWW-Authenticate: Basic realm="Secure Area"

Content-Type: text/html

Content-Length: 311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">

<HTML>

<HEAD>

<TITLE>Error</TITLE>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">

</HEAD>

<BODY><H1>401 Unauthorised.</H1></BODY>

</HTML>

  1. Getting “401 Authorization Required “ response the browser prompt for user name and password. The look and feel of this prompt is browser dependent. User enters login name/password and this is send back to server. The password is in Base 64 encoded and it is not encrypted. Any person can capture this and decrypt the password. Hence “Basic Authentication”  is  the weakest form of Authentication.

Http Request:

GET /private/index.html HTTP/1.0

Host: localhost

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

  1. Server checks the login/password for the requested realm and if it is matched then assign the configured role to the requested user. Then checks web.xml to see if this role is allowed to access the requested resource and if it is found that, that role is allowed to access the role, server send the requested resource.

Http Response:

HTTP/1.0 200 OK

Server: HTTPd/1.0

Date: Sat, 27 Nov 2004 10:19:07 GMT

Content-Type: text/html

Content-Length: 10476

Configuring Basic Authentication in tomcat:-

Realm is an abstract concept which can be assumed to be a place where we store login name , password and associated roles. Tomcat support many types of realm.

There are following types of realm shipped with tomcat:-

  • JDBCRealm – Accesses authentication information stored in a relational database, accessed via a JDBC driver.
  • DataSourceRealm- Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource.
  • JNDIRealm – Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider.
  • MemoryRealm – Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (conf/tomcat-users.xml).
  • JAASRealm – Accesses authentication information through the Java Authentication & Authorization Service (JAAS) framework.

We can write our own customized realm and integrate with tomcat.

Configuring JDBCRealm:-

In JDBCRealm we configure login name/password and associated roles in database table and configure tomcat to access these values while checking whether a specific user is allowed to access a protected resource or not.

First create database table to store login name password and roles:-

mysql> create table login(

-> user_name varchar(15) not null primary key,

-> user_pass varchar(15) not null

-> );

Query OK, 0 rows affected (0.58 sec)

mysql> create table role(

-> user_name varchar(15) not null,

-> user_role varchar(15) not null,

-> primary key (user_name,user_role)

-> );

Query OK, 0 rows affected (0.13 sec)

mysql> insert into login values ('vivek','password');

Query OK, 1 row affected (0.15 sec)

mysql> insert into role values('vivek','myrole');

Query OK, 1 row affected (0.10 sec)

Configure JDBCRealm :-

Open <TOMCAT_HOME_DIR>/conf/server.xml and add following lines:-

<Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"

driverName="org.gjt.mm.mysql.Driver"

connectionURL="jdbc:mysql://localhost/test"

connectionName="<database login>"

connectionPassword="<database password>"

userTable="login " userNameCol="user_name" userCredCol="user_pass"

userRoleTable="role" roleNameCol="user_role" />

Here we configured the above created tables. Put the driver jar (mysql-connector-java-5.1.6-bin.jar) in <TOMCAT_HOME_DIR>/server/lib directory.

Configure web.xml for basic authentication:-

<security-constraint>

<web-resource-collection>

<web-resource-name>Basic Authentications</web-resource-name>

<url-pattern>/* </url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>myrole</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

</login-config>

<security-role>

<description>Test role</description>

<role-name>myrole</role-name>

</security-role>

Here we are configuring all the requested resource (/*) as protected resource and only  user having myrole (we inserted myrole in above database table role) can access it.

Start the server and request for the resource:-

When we type the requested resource address in the browser’s address bar we get following authentication message.

Enter login name/password:-

And here are the http request send back and received from server. Here I used tcpmon  to monitor request response:-


    GET /StrutsAppn/loginContent.jsp HTTP/1.1

    Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*

    Accept-Language: en-us

    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

    Accept-Encoding: gzip, deflate

    Host: localhost:6060

    Connection: Keep-Alive

    Response:-

    HTTP/1.1 401 Unauthorized

    Server: Apache-Coyote/1.1

    Pragma: No-cache

    Cache-Control: no-cache

    Expires: Thu, 01 Jan 1970 00:00:00 GMT

    WWW-Authenticate: Basic realm="localhost:6060"

    Content-Type: text/html

    Content-Language: en-US

    Transfer-Encoding: chunked

    Date: Sun, 01 Nov 2009 07:18:41 GMT

    2af

    <html><head><title>Apache Tomcat/4.1.37 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} H3{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color : white;} B{color : white;background-color : #0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/4.1.37</h3></body></html>

    0

      Request:

      GET /StrutsAppn/loginContent.jsp HTTP/1.1

      Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*

      Accept-Language: en-us

      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

      Accept-Encoding: gzip, deflate

      Host: localhost:6060

      Connection: Keep-Alive

      Authorization: Basic dml2ZWs6cGFzc3dvcmQ=

      Response:-

      HTTP/1.1 200 OK

      Server: Apache-Coyote/1.1

      Pragma: No-cache

      Cache-Control: no-cache

      Expires: Thu, 01 Jan 1970 00:00:00 GMT

      Set-Cookie: JSESSIONID=651E0497005EA7AF96ADFFE99D65FA0E; Path=/StrutsAppn

      Content-Type: text/html;charset=ISO-8859-1

      Content-Length: 731

      Date: Sun, 01 Nov 2009 07:19:08 GMT

      <div>

      <table>

      <tr align="right">

      <td align="left">

      </td>

      </tr>

      </table>

      </div>

      <h2>Please enter Login name Password:</h2>

      <form method="post" action="/StrutsAppn/loginAction.do;jsessionid=651E0497005EA7AF96ADFFE99D65FA0E">

      <table>

      <tr><th align="right">User Id:</th><td align="left"><input name="userName" value=""></td></tr>

      <tr><th align="right">Password :</th><td align="left"><input name="password" value=""></td></tr>

      <tr><td align="right"><input value="Submit"></td><td align="left"><input name="org.apache.struts.taglib.html.CANCEL" value="Cancel" onclick="bCancel=true;"></td></tr>

      </table>

      </form>

      3.

      Request:

      GET /favicon.ico HTTP/1.1

      Accept: */*

      Accept-Encoding: gzip, deflate

      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

      Host: localhost:6060

      Connection: Keep-Alive

      Response:-

      HTTP/1.1 404 /favicon.ico

      Server: Apache-Coyote/1.1

      Content-Type: text/html;charset=ISO-8859-1

      Content-Language: en-US

      Transfer-Encoding: chunked

      Date: Sun, 01 Nov 2009 07:19:08 GMT

      2d1

      <html><head><title>Apache Tomcat/4.1.37 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} H3{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color : white;} B{color : white;background-color : #0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>HTTP Status 404 - /favicon.ico</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/favicon.ico</u></p><p><b>description</b> <u>The requested resource (/favicon.ico) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/4.1.37</h3></body></html>

      0

      Note:- After analyzing the response I found the last pair of request (favicon.ico(http://en.wikipedia.org/wiki/Favicon)) very surprising. Neither, I had not requested for this icon file not any of the page request is having reference to this favicon.ico file. After searching on net i found that this file is always requested by browser to display icon near address bar.

      Advertisements

      Leave a Reply

      Fill in your details below or click an icon to log in:

      WordPress.com Logo

      You are commenting using your WordPress.com account. Log Out / Change )

      Twitter picture

      You are commenting using your Twitter account. Log Out / Change )

      Facebook photo

      You are commenting using your Facebook account. Log Out / Change )

      Google+ photo

      You are commenting using your Google+ account. Log Out / Change )

      Connecting to %s