File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes BASIC authentication doubt. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "BASIC authentication doubt." Watch "BASIC authentication doubt." New topic
Author

BASIC authentication doubt.

Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026
With NO <transport-guarantee> element in DD and <auth-method> as BASIC if I request a constrained resource the container issues a 401 Unauthorized response directing the browser to get login information from client and the browser pops up a dialog box to get username/password.

What I like to know here is whether this username/password send back to the container in the request header is visible(or)NOT. As per my understanding it should be visible because BASIC does not provide encryption. But I couldn't see them in the request header. I am using Http Header Live to trace the request and response headers.

I see this as part of the request header after the request has been made with user login information
Authorization: Basic cHJpeWE6cHJpeWE=

It looks like its been encrypted. But BASIC doesn't provide encryption.
I am totally confused here.


Servlet Spec 2.4/ Jsp Spec 2.0/ JSTL Spec 1.1 - JSTL Tag Documentation
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

That isn't encryted, it is a Base64 encoded String in the form username assword
Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026
You mean it is encoded.

Now I like to hear the difference between Encoding and Encrypting.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Sometimes the behaviour can look the same, but the aim is different.

Encryption alters the data so that the original value can not be easily found given the 'cyphered' or altered value. Idealy you should not be able to reverse the encryption process unless you are meant to

Encoding is just the representation of the data. It is possible to represent data in many ways that can be easily converted between representations. Base64 encoding is a very common encoding which represents binary data as a subset of the ASCII character set. This allows binary data to be treated as text and makes it work when onlytext is allowed. I won't go into too many details of the why or what or how

Dave
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BASIC authentication doubt.
 
Similar Threads
Does <auth-method> can have vendor-specific authentication scheme?
Tomcat BASIC authentication fails in certain cases
Security and login
Modifying a request using a Servlet Filter
Passing values through html