Java and HTTP Authentication - I

Java Support all kind of HTTP authentication schemes but unfortunately there is not a single good source available on the web which explains in detail how to do the required setup etc.

As part of this blog we will discuss about Basic and Digest authentication and I'll try to explain in as much detail as possible to do the required setup on tomcat webserver and how Java handles authentication schemes. 

Basic Authentication:

The basic access authentication is a method designed to allow a web server, or other client program, to provide credentials – in the form of a user-name and password – when making a request.

 Tomcat handles most of the authentication using different types of  realms. A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user. To make basic authentication work with tomcat we will use the default realm i.e. "UserDatabaseRealm"

Step I : Update the "<catalina_home>/conf/tomcat-users.xml" with roles,user-name and pssword information as follows:

  <role rolename="sunsqeuser"/>
   <user username="jituB" password="jitu20" roles="sunuser"/>

Step II: Next step is how to protect web contents using basic authentication scheme. When a user tries to access this protected web application ,web browser is going to ask for a username and password. To switch on the basic authentication sceheme add following to web.xml related to web application e.g. for protecting contents under <catalina_home>/webapps/basicAuth we need to update the web.xml under  <catalina_home>/webapps/basicAuth/WEB-INF

<security-constraint>
                <web-resource-collection>
                              <web-resource-name>app</web-resource-name> 
                              <url-pattern>/tests/*</url-pattern> 
                </web-resource-collection> 
                <auth-constraint> 
                              <role-name>sunuser</role-name>
                </auth-constraint> 
 </security-constraint> 
 <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>testBasicRealm</realm-name>
  </login-config>

 Step III:  Try to run an applet sitting under <catalina_home>/webapps/basicAuth. You will see a authentication pop-up from browser. Supply user: jituB and pass: jitu20 ( same specified inside the tomcat-users.xml under step I)

Make sure that there is no authentication pop-up from Java. If you are able to load applet successfully after supplying the valid set of user/pass then your setup is successfull

Digest Authentication:

Digest authentication is nothing but encrypted use of the Basic authentication, allowing user identity to be established securely without having to send a password in plain text over the network.  In many environments, use of Basic Authentication is undesirable because casual observers of the authentication data can collect enough information to log on successfully, and impersonate other users. To avoid this problem, the standard implementations support the concept of digesting user passwords

To make digest authentication work with tomcat we will use the default realm i.e. "UserDatabaseRealm" and but in this case stored version of the passwords will be encoded ,in a form that is not easily reversible, but the Realm implementation can still utilize for authentication.

Before moving onto the setup details , I would like to discuss in brief about Realm configuration.This is important in the sense that in order make digest authentication work we need to make some changes to the default settings "UserDatabaseRealm" and if you are trying to use the same webserver for both types of authentictaion then it's better to do Realm configuration in some effective way as described below:

  • Inside an <Engine> element - This Realm will be shared across ALL web applications on ALL virtual hosts, UNLESS it is overridden by a Realm element nested inside a subordinate <Host> or <Context> element.
  • Inside a <Host> element - This Realm will be shared across ALL web applications for THIS virtual host, UNLESS it is overridden by a Realm element nested inside a subordinate <Context> element.
  • Inside a <Context> element - This Realm will be used ONLY for THIS web application

 As explained above it's better to have Realm configured at HOST or Context level and for that we need to perform one extra step here. For examples we want to secure contents under <catalina_home>/webapps/digestAuth/tests

Step I: Make sure that REALM is not configured ar Engine level and for that create a "digestAuth.xml" <catalina_home>/conf/Catalina/localhost/. "digestAuth.xml" should contain something like as follows:

<Context path="/tests" docBase="${catalina.home}/webapps/digestAuth/tests" debug="0" privileged="true">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="MD5"/>
</Context>

Step II : Generate a digested password from the cleartext password using tomcat utility "<catalina_home>/bin/digest.sh" as explained below

 digest -a MD5 jituD:digestTestsRealm:jitu
 This will return jituD:digestTestsRealm:jitu:b31b9667a9e4748187d6936a29cb12ed

Note:

  • We have provided MD5 alogrithm since it's defined under Step I while confiuring the realm.If you want to use SHA then Realm configuration under Step I needs to be changed accrodingly
  • Input to utitlity "digest" i.e. "jituD:digestTestsRealm:jitu" is a combination of user_name:realm_name:password. That mean in this case "jituD" is going to the username and "jitu" is going to be the password used to access the web application while "digestTestsRealm" is name of the realm against which we are trying to setup the digest authentictaion. Point to be noted here that realm_name given here "digestTestsReal" should match with value of <realm-name>defined inside the web.xml (see Step III below)

Note down the returned encrypted password "b31b9667a9e4748187d6936a29cb12ed" and update the "<catalina_home>/conf/tomcat-users.xml" with roles,user-name and password information as follows:

  <role rolename="sunsqeuser"/>
  <user username="jituD" password="b31b9667a9e4748187d6936a29cb12ed " roles="sunsqeuser"/>

Step III:  Next step is how to protect web contents using digest authentication scheme. When a user tries to access this protected web application,web browser is going to ask for a username and password. To switch on the digest authentication scheme add following to web.xml inside <catalina_home>/webapps/digestAuth/WEB-INF 

<security-constraint>
                <web-resource-collection>
                              <web-resource-name>app</web-resource-name> 
                              <url-pattern>/tests/*</url-pattern> 
                </web-resource-collection> 
                <auth-constraint> 
                              <role-name>sunsqeuser</role-name>
                </auth-constraint> 
 </security-constraint> 
 <login-config>
                <auth-method>DIGEST</auth-method>
                <realm-name>digestTestsRealm</realm-name>
             </login-config>
</web-app>

 Step IV: Try to run an applet sitting under <catalina_home>/webapps/digestAuth/tests. You will see a authentication pop-up from browser. Note that this pop-up is going to be different from what we got while running the basic authentication scenarios. Supply user: jituD and pass: jitu

Due to bug in Java unlike basic authentication we will get  authentication pop-up from Java also. Supply againt the same set of user/pass ie. user: jituD and pass: jitu

If you are able to load applet successfully after supplying the valid set of user/pass then your setup is successfull

 In my next blog I'll discuss the form baes authenitcation and most complicated client authentication.

Posted on: Sep 10, 2009

Posted by: Jitender Singh

Category: Java Plug-in

Permanent link to this entry

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Jitender Singh