Presentation is loading. Please wait.

Presentation is loading. Please wait.

SlideSet #18: HTTP Authentication

Published byLeslie Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "SlideSet #18: HTTP Authentication"— Presentation transcript:

1 SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html SY306 Web and Databases for Cyber Operations

2 Outline HTTP Basic Authentication HTTP Digest Authentication

3 HTTP Authentication ClientServer Authentication?

4 Basic Authentication Demo

5 Basic Authentication Client  GET /secret.html HTTP/1.0  Server HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm=“secret files“ Content-Length: 0 Client  GET /secret.html HTTP/1.0 Authorization: Basic dXNlcjpwYXNzd29yZA== Notes:

6 How to set up Basic Authentication Have mod_auth_basic enabled on web server Create password file (not on web accessible path) htpasswd –c myfile myuser Configure server to ask for credentials Ex. In.htaccess AuthType Basic AuthName myrealm AuthBasicProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html

7 Lab Exercise ssh into mich316csdYYu YY between 01 and 20 Create password file basicUsers.txt in your home dir (not web accessible) for your user mXXXXXX htpasswd –c basicUsers.txt mXXXXXX From Windows or Unix: Create new folder BasicSecret in your public_html folder Copy starter.html in BasicSecret Create.htaccess file in BasicSecret with content AuthType Basic AuthName "Restricted files for basic" AuthBasicProvider file AuthUserFile /home/mids/mXXXXXX/basicUsers.txt Require valid-user In browser: http://zee.academy.usna.edu/~mXXXXXX/BasicSecret/starter.html http://zee.academy.usna.edu/~mXXXXXX/BasicSecret/starter.html Might need to change permissions for basicUsers.txt – in Unix setfacl –m u:www-data:rx basicUsers.txt

8 Base64 Encoding Encoding binary to text (NOT encryption) Use 64 characters (6 bits needed to represent each symbol) To encode user:password –Concatenate ASCII binary representation for each character –If nb of bytes not multiple of 3, add one or two all-zero bytes –Separate each 3 8-bits (byte) block in 4 6-bits blocks –Translate each 6-bit block to the Base64 character –If the 6-bit block was all from the padding, translate to = http://en.wikipedia.org/wiki/Base64

9 ASCII table: http://www.rapidtables.com/code/text/ascii-table.htmhttp://www.rapidtables.com/code/text/ascii-table.htm

10 ICE: Decode c3kzMDY6dGVzdA==

11 Digest Authentication Similar with basic authentication BUT Passwords are not sent in plain (base64) text Based on challenge-response authentication –Uses MD5 hash

12 Digest Authentication – Part 1 Client  GET /secret.html HTTP/1.0  Server HTTP/1.1 401 Access Denied WWW-Authenticate: Digest realm="Restricted", nonce=“SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", algorithm=MD5, qop="auth" Content-Length: 0

13 Digest Authentication – Part 2 Client  GET /secret.html HTTP/1.0 Authorization: Digest username=“johnny", realm="Restricted", nonce="SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", uri="/secret.html", algorithm=MD5, response="ffd5ebb687c6198ef663e43b25a32d0e", qop=auth, nc=00000001, cnonce="80ddead374b429b7“ Pros: Cons:

14 How to set up Digest Authentication Have mod_auth_digest enabled on web server Create password file (not on web accessible path) htdigest –c myfile myrealm myuser Configure server to ask for credentials Ex. In.htaccess AuthType Digest AuthName myrealm AuthDigestProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html

15 Other types of authentication NTLM Authentication Certificates Authentication Integrated Windows Authentication Form-based authentication

Download ppt "SlideSet #18: HTTP Authentication"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.

Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
Access control and user management in Apache

Access control and user management in Apache
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
Internet Applications: File Transfer Protocol (FTP)

Internet Applications: File Transfer Protocol (FTP)
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Computers in Principle and Practice Servers and Operating Systems.

Computers in Principle and Practice Servers and Operating Systems.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Securing Squid (Proxy) Using Digest Authentication.

Securing Squid (Proxy) Using Digest Authentication.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
The University of Akron Summit College Business Technology Dept.

The University of Akron Summit College Business Technology Dept.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.

Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.

Similar presentations

Ads by Google