Web Server Design Week 10 Old Dominion University Martin Klein <>

advertisement
Web Server Design
Week 10
Old Dominion University
Department of Computer Science
CS 495/595 Spring 2010
Martin Klein <mklein@cs.odu.edu>
3/17/10
Authentication: Basic & Digest
♣ Defined in RFC-2617
♣ Basic
♣
♣
♣
very simple
sends password in the clear (very bad)
suitable for personalization; not real security
♣ Digest
♣
♣
♣
uses cryptographic hashes; password not sent in the clear
stronger than Basic, but client support not as prevalent
does not encrypt content…
♣ SSL, SHTTP or equivalent needed for that
Authentication Structure
♣ Both methods are structurally similar:
♣ when the server receives a request for a
protected resource, it responds with:
♣ status code “401 Unauthorized”
♣ “WWW-Authenticate:” response header
♣ the client reissues the same request with the
addition of:
♣ “Authorization:” request header
Basic
♣ “WWW-Authenticate:” response header:
WWW-Authenticate: Basic realm=”St. Patrick’s Day"
auth type
opaque string to differentiate auth files
♣ “Authorization:” request header:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
auth type
Base64(username:password)
Scenario
GET shamrock HTTP/1.1
client
server
401 Unauthorized
WWW-Authenticate: Basic realm=“Paddy’s Day”
GET foo HTTP/1.1
Authorization: Basic St.Patrick:HolyTrinity
200 OK
scenario 2: the client could have sent the
Authorization string with the initial request
St.Patrick:HolyTrinity would be base64’d
How Apache Does It…
(Note: we’re not going to do it this way!)
♣ In either <Directory> entries in the config
file, or “.htaccess” files in directories:
AuthType Basic
AuthName "This is what RFC 2617 calls a Domain"
AuthUserFile /usr/local/apache/passwd/passwords
Require user St.Patrick
♣ Many more options possible:
♣ http://httpd.apache.org/docs/2.0/howto/auth.html
Authentication Example
(mln-web:~/public_html/restricted) mklein% ls -al
total 12
drwxr-xr-x 2 mklein sshd 136 Mar 10 17:49 .
drwxr-xr-x 7 mklein sshd 336 Mar 10 17:48 ..
-rw-r--r-- 1 mklein sshd 125 Mar 10 17:48 .htaccess
-rwxr-xr-x 1 mklein sshd 93 Mar 10 17:49 encode.pl
-rw-r--r-- 1 mklein sshd 24 Mar 10 17:48 paddys.txt
(mln-web:~/public_html/restricted) mklein% more .htaccess
AuthType Basic
AuthName "It's St.Patrick's Day, Lads - pwd required"
AuthUserFile /home/mklein/cs595passwd
Require user st.patrick
(mln-web:~/public_html/restricted) mklein% more encode.pl
#!/usr/bin/perl
use MIME::Base64;
$str = encode_base64(”st.patrick:shamrock");
print "$str\n";
(mln-web:~/public_html/restricted) mklein% ./encode.pl
c3QucGF0cmljazpzaGFtcm9jaw==
Request #1
bookpower:~ mk$ telnet mln-web.cs.odu.edu 80
Trying 128.82.4.82...
Connected to mln-web.cs.odu.edu.
Escape character is '^]'.
HEAD /~mklein/restricted/ HTTP/1.1
Host: mln-web.cs.odu.edu
Connection: close
HTTP/1.1 401 Authorization Required
Date: Wed, 10 Mar 2010 22:50:35 GMT
Server: Apache
WWW-Authenticate: Basic realm="It's St.Patrick's Day, Lads - pwd required"
Connection: close
Content-Type: text/html; charset=iso-8859-1
Connection closed by foreign host.
Request #2
bookpower:~ mk$ telnet mln-web.cs.odu.edu 80
Trying 128.82.4.82...
Connected to mln-web.cs.odu.edu.
Escape character is '^]'.
HEAD /~mklein/restricted/ HTTP/1.1
Host: mln-web.cs.odu.edu
Connection: close
Authorization: Basic c3QucGF0cmljazpzaGFtcm9jaw==
HTTP/1.1 200 OK
Date: Wed, 10 Mar 2010 22:51:37 GMT
Server: Apache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Connection closed by foreign host.
Why Not a “403 Forbidden” ?
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.
Download