aspose file tools*
The moose likes Security and the fly likes Basic authentication without a secure connection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Basic authentication without a secure connection" Watch "Basic authentication without a secure connection" New topic
Author

Basic authentication without a secure connection

Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
Hello!


I'm developing a Java, Struts, Tomcat application.
I attached a Authentication Screen-shot Dialog that appears when I want to open page from another server via my application.

Is there any way to pass the username and password (attach it on link, or put it in the session/request) so it won't be necessary to fill the attached dialog? How?



[Download auth2.bmp] Download

Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
Hello (again)!


Have you had experience with java.net.Authenticator? Can I use it for this issue? How?


Regards

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Are you asking about programmatic access or by a user with a browser?


Ping & DNS - my free Android networking tools app
Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
Browser.

I'm developing a web-application and want to access to another server that requires authentication.


Regards
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
In that case - no, it's not possible and any Java class (like Authenticator) is not going to help.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Basic Authentication was defined in HTTP protocol, I doubt Java (or any language) can bypass it.


SCJA 1.0, SCJP 1.4, SCWCD 1.4, SCBCD 1.3, SCJP 5.0, SCEA 5, SCBCD 5; OCUP - Fundamental, Intermediate and Advanced; IBM Certified Solution Designer - OOAD, vUML 2; SpringSource Certified Spring Professional
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Basic Authentication was defined in HTTP protocol, I doubt Java (or any language) can bypass it.

That's really misleading. Java has the HttpUrlConnection class that can do just about everything that HTTP can do. But there's no Java involved here - as Imre said, he's talking about a web page in a browser.
Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
Thank you for your answers!


By the way, how is Basic Authentication defined in HTTP protocol?
Via cookie, cache, request...? How are the credentials kept (in browser)?


Regards
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
how is Basic Authentication defined in HTTP protocol?
Via cookie, cache, request...? How are the credentials kept (in browser)?

The browser keeps username and password in memory; they're generally lost once the browser exits. And, actually, that's the only way for a browser to forget those credentials - there's no way to "log out" from Basic Auth; the browser will keep sending the credentials until it quits.

All the gory details can be found in the "HTTP 1.1 Authentication" spec, which you'll find on the SpecificationURLs page linked in my signature.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Ulf Dittmer wrote:
Basic Authentication was defined in HTTP protocol, I doubt Java (or any language) can bypass it.

That's really misleading. Java has the HttpUrlConnection class that can do just about everything that HTTP can do. But there's no Java involved here - as Imre said, he's talking about a web page in a browser.

I know Basic Authentication. But I don't understand why my statement is misleading. Could you please to explain more?

And I don't get you, you say exactly the same as I, but you say my statement is misleading?
If my statement is misleading, what does it mislead to?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Well, if we are saying the same thing, then I must have misunderstood you before.

I think the statement is misleading because a) Java has nothing at all to do with this (it's a question of links in a web page - there's no Java involved), and b) if, on the other hand, one were to use Java for accessing the URL, then it would be perfectly possible to bypass any user involvement in the authentication step because Basic Auth uses HTTP headers which Java can easily set.
I didn't think that the non-connection between the problem at hand and the Java language was clear, nor that the fact that Basic Auth is an HTTP standard was relevant.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Thanks for your explanation.
I understood the context of this problem. I mentioned Java because Imre asked about java.net.Authenticator.
Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
I found another approach for this problem from the rfc2617 that you sent, Ulf:


Also I read:
http://en.wikipedia.org/wiki/Basic_access_authentication

So, If I can modify the request header, I will add row "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Is there any way to modify/create HTTP request that will contain line:
"Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
?


Regards
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
It's easily possible if you have control over the request header (like if you were using the URLConnection class from within a Java application), but not if the client is a browser.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Imre Tokai wrote:
Is there any way to modify/create HTTP request that will contain line:
"Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Let's say, the server is Apache HTTP Server, and the user agent is Firefox, you open a page in Firefox and Apache sends 401 response to Firefox so Firefox brings the dialog.
When and how do you modify HTTP header?
Imre Tokai
Ranch Hand

Joined: Jun 04, 2008
Posts: 130
There is an application on (Apache) Tomcat server that contains link to application that's on another server (not Tomcat), which has Basic authentication.
I'd modify the request (Add "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==") that is sent to another server after link is clicked.
So far, I get replies that tell this is not likely.

Any (more) ideas?


Regards
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
HttpServletRequest interface has no setHeader method.
As far as I know, it's not possible.

But why do you want to bypass Basic Authentication dialog? It's good to have the dialog, so people who don't have credential couldn't access protected resources.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
But why do you want to bypass Basic Authentication dialog? It's good to have the dialog, so people who don't have credential couldn't access protected resources.

He doesn't want to bypass security; he wants to bypass the dialog by passing in the credentials via alternative means (see the first post in this topic).
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Ulf Dittmer wrote:
But why do you want to bypass Basic Authentication dialog? It's good to have the dialog, so people who don't have credential couldn't access protected resources.

He doesn't want to bypass security; he wants to bypass the dialog by passing in the credentials via alternative means (see the first post in this topic).

Yes, I know. I asked why he wants to bypass Basic Authentication dialog. Maybe there is a good reason behind this, I just curious.

Actually bypassing dialog for users is mean bypassing security, it's like we have a log in page, and we also have a link to log in on behalf of us (and on behalf of anyone who can access the link including hackers).
Providing a back door to access protected resources causes a security hole.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41525
    
  53
Actually bypassing dialog for users is mean bypassing security, it's like we have a log in page, and we also have a link to log in on behalf of us (and on behalf of anyone who can access the link including hackers). Providing a back door to access protected resources causes a security hole.

No, you're still misunderstanding what the problem is. Trying to bypass the dialog by passing the credentials some other way is NOT a security hole.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Ulf Dittmer wrote:
Actually bypassing dialog for users is mean bypassing security, it's like we have a log in page, and we also have a link to log in on behalf of us (and on behalf of anyone who can access the link including hackers). Providing a back door to access protected resources causes a security hole.

No, you're still misunderstanding what the problem is. Trying to bypass the dialog by passing the credentials some other way is NOT a security hole.

It's depend on situations.

For example, I've web A, and web B. In web A, I bypass log in to access web B's protected resources.
Then there is a hacker who want to access protected resources of web B, but he cannot hack web B, so he changes to hack web A which has weaker security level instead, and after that he can access web B's protected resources, for me this is a security hole.

But it's depend, in some cases, maybe it's all right, but we cannot say for sure that it will be all right in every case.
That is why I asked the topic creator, what the reason is.

In any case, I didn't say that "Trying to bypass the dialog by passing the credentials some other way" is a security hole, those are your words, not mine. Please read again.
The fact is I answered your question (not the topic creator's question) and explained further, but you mixed it up, sorry to make you confused.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Basic authentication without a secure connection