File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Sockets and Internet Protocols and the fly likes How to use Basic Authentication like a browser (best practices) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "How to use Basic Authentication like a browser (best practices)" Watch "How to use Basic Authentication like a browser (best practices)" New topic

How to use Basic Authentication like a browser (best practices)

Joe Areeda
Ranch Hand

Joined: Apr 15, 2011
Posts: 307

I'm exploring the possibility of implementing RESTFUL services from a Shibboleth ( protected site. So far what that means to me is that I have to support at a minimum Cookies, and. Basic Authentication. I'm still trying to conceptualize the process so please help me fill in the holes.

My reading has lead me to the Apache HTTP core client ( which seems like a very nice implementation of almost everything I need.

My current stumbling block is understanding the warnings in their documentation about the security problems with "preemptive authentication". They say:

HttpClient does not support preemptive authentication out of the box, because if misused or used incorrectly the preemptive authentication can lead to significant security issues, such as sending user credentials in clear text to an unauthorized third party. Therefore, users are expected to evaluate potential benefits of preemptive authentication versus security risks in the context of their specific application environment.

I take that to mean that it is good practice to try to connect, wait for a 401-Authentication required, somehow decide if you really, really want to send the requestor the user's password then what? I think I then ask the user for their username/password and make the same request with preemptive authentication. I do not see a way to reply directly to the 401 response.

The other buggaboo is that I really don't know of a way to check anything about the server. There are multiple redirects in sign-on process with the first one possibly using http. The rest use https and I think having valid certificates is enough. It is up to the server to decide which Identity Provider the log in requests are routed to.

So how do you handle 401 responses?


It's not what your program can do, it's what your users do with the program.
Joe Areeda
Ranch Hand

Joined: Apr 15, 2011
Posts: 307

I continue to experiment but I'm kind of stuck at this problem.

It seems like I need to know which host I'm sending the basic authentication username/password to. HttpHost is one of the arguments.

My problem is that things get redirected from the server specified in the url to the Identity provider.

How can I determine the host that issued the 401 code?

I think it's easy I just can't figure out which object and which call provides that information?

I agree. Here's the link:
subject: How to use Basic Authentication like a browser (best practices)
Similar Threads
selective authentication for a servlet?
Authenticate and authorise access to webservices
is PasswordAuthentication secure?
login/password question
RSS feed of a private forum