HTTP Basic Authentication

jdeane

nk4um User

Posts: 79

<div>1. Modify the HTTPBridgeConfig to pass authorization header<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default codeblock">&lt;<span class="xmlverb-element-name">passHeaders</span>&gt;<span class="xmlverb-text">Authorization</span>&lt;/<span class="xmlverb-element-name">passHeaders</span>&gt;</div></div></td></tr></table><br/><br/>2. Within Java Accessor, source Authorization Header<br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-code"><pre><br/>String authorizationHeader = ((IAspectString)context.sourceAspect<br/>    ("this:param:Authorization",IAspectString.class)).getString();<br/></pre></div></td></tr></table><br/><br/>3. Parse Authorization String <br/><br/><table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"> <tr><td><div class="forum-quote"><br/>Basic ZXNiOm715Gs1cm41bA==<br/></div></td></tr></table><br/><br/>a. Remove Basic<br/><br/>b. Decode ZXNiOm715Gs1cm41bA==<br/><br/>c. Extract userid from userid:password</div>

December 10, 2007 19:21HTTP Basic Authentication - Obtain userid argument

1. Modify the HTTPBridgeConfig to pass authorization header

<passHeaders>Authorization</passHeaders>

2. Within Java Accessor, source Authorization Header


String authorizationHeader = ((IAspectString)context.sourceAspect
    ("this:param:Authorization",IAspectString.class)).getString();

3. Parse Authorization String

Basic ZXNiOm715Gs1cm41bA==

a. Remove Basic

b. Decode ZXNiOm715Gs1cm41bA==

c. Extract userid from userid:password

rip

nk4um User

Posts: 15

December 7, 2007 21:05GET vs POST authentication

Regarding question (1):
Each of the HTTP verbs must be locked down. If you lock the admin
interface using a configuration handler given in:
http://www.1060.org/forum/topic/265/2
only the GET verb is included (so any "typical URL-only request from the
browser to NK is covered). Including the other
verb names in this same type of setup will secure these other
verbs as well.

jdeane

nk4um User

Posts: 79

December 7, 2007 19:53HTTP Basic Authentication Followup Questions

If basic authentication enabled on the backend fulcrum, a username/password is required. We tested this using a browser and a JMeter test. But we have run into issues:

1. Why is a GET restricted but a POST passes through without credentials?

2. Once the request passes through the http bridge, how can one access the username from within a Java Accessor?

RandyKahle

nk4um Administrator

Posts: 158

November 1, 2007 17:19

You need to add the Jetty HTTP authentication handler.

This topic: http://www.1060.org/forum/topic/265/1 should cover the details.

Randy

jdeane

nk4um User

Posts: 79

November 1, 2007 17:00HTTP Basic Authentication & NetKernel

I am trying to come up the most efficient and maintainable way of implementing authentication for our web services. HTTP supports Basic Authentication by allowing a client to submit a user/name password. I believe these are encoded into one value. I wanted to know whether the encoded value would be passed onto a URI Gateway or would the Jetty or HTTP Bridge code have already decoded and attached them as parameters.

RandyKahle

nk4um Administrator

Posts: 158

November 1, 2007 16:43Authentication

In the standard NetKernel installation authentication is not set up for either the frontend or backend fulcrums.

Is this something that you want to set up for your installation?

Randy

jdeane

nk4um User

Posts: 79

November 1, 2007 16:30HTTP Basic Authentication

I noticed that by default the back-end fulcrum prompts for a user-name password. Is this using HTTP Basic Authentication?

And can this be done on the front-end?

Or should we use a URI Gateway? And if we used a URI Gateway would the user/name password be passed as an encoded paramter or would it have been decoded already and passed along as username & password paramters?

Note I would like to keep the requests stateless. So the user-name and password will be passed everytime.