WWW-Authenticate - Faculty Home Pages

indexadjustmentInternet and Web Development

Nov 13, 2013 (4 years ago)

55 views

HTTP Requests & Responses

1

Servlets:

HTTP Request Header Contents

and Responses

HTTP Requests & Responses

2

Road Map


Recap and Overview


Reading HTTP Request Headers


Generating the Server Response


Case Study 1: Search Engines


Case Study 2: Basic Web Security


Restricting by User Name/Password

HTTP Requests & Responses

3

Recap and Overview

HTTP Requests & Responses

4

Overview


Interaction between browser and web
server.

Web

Browser

Web

Server

Request

Response

HTTP Requests & Responses

5

Client Request Data


When a user submits a browser request to a
web server, it sends two categories of data:


Form Data: Data that the user explicitly typed
into an HTML form.


For example: registration information.


HTTP Request Header Data: Data that is
automatically appended to the HTTP Request from
the client.


For example: cookies, browser type, etc,

HTTP Requests & Responses

6

Reading HTTP Request
Headers

HTTP Requests & Responses

7

Sample HTTP Request


A sample HTTP Request to Yahoo.com


GET / HTTP/1.1

Accept: */*

Accept
-
Language: en
-
us

Accept
-
Encoding: gzip, deflate

User
-
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)

Host: www.yahoo.com

Connection: Keep
-
Alive

Cookie: B=2td79o0sjlf5r&b=2


Tip: Check out:

http://www.web
-
sniffer.net

HTTP Requests & Responses

8

Accessing HTTP Headers

As in the SnoopServlet Example:


To access any of these Headers, use the
HTTPServletRequest
getHeader()

method.


For example:


String connection = req.getHeader(“Connection”);


To retrieve a list of all the Header Names, use the
getHeaderNames()

method.


getHeaderNames()

returns an Enumeration object.


For example:


Enumeration enum = req.getHeaderNames();

HTTP Requests & Responses

9

Additional HTTP Information


getMethod()


Indicates the request method, e.g. GET or POST.


getRequestURI()


Returns the part of the URL that comes after the
host and port. For example, for the URL:
http://randomhost.com/servlet/search
, the
request URI would be /servlet/search.


getProtocol()


Returns the protocol version, e.g. HTTP/1.0 or
HTTP/1.1

HTTP Requests & Responses

10

Reading Browser Types


The User
-
Agent HTTP header indicates
the browser and operating system.


For example:


user
-
agent Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)


You can use this header to differentiate
browser types or simply log browser
requests.

HTTP Requests & Responses

11

Example User
-
Agents


Internet Explorer:


user
-
agent Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)


Mozilla


Mozilla/5.0 (Windows; U; Windows NT 5.1;
en
-
US; rv:1.4) Gecko/20030624


For strange historical reasons, IE
identifies itself as “Mozilla”

HTTP Requests & Responses

12

Generating the Server
Response

HTTP Requests & Responses

13

Sample HTTP Response


As a refresher, here’s a sample HTTP response:


HTTP/1.1 200 OK

Date: Mon, 06 Dec 2004 20:54:26 GMT

Server: Apache/1.3.6 (Unix)

Last
-
Modified: Fri, 04 Oct 2002 14:06:11 GMT

Content
-
length: 327

Connection: close

Content
-
type: text/html

<title>Sample Homepage</title>

<img src="/images/oreilly_mast.gif">

<h1>Welcome</h2>Hi there, this is a simple web page. Granted,
it may…


HTTP Requests & Responses

14

Generating Responses


Servlets can return any HTTP response
they want.


Useful for lots of scenarios:


Redirecting to another web site.


Restricting access to approved users.


Specifying content
-
type other than
text/html.


Return images instead of HTML.

HTTP Requests & Responses

15

Setting the HTTP Status Code


Normally, your Servlet will return an HTTP Status
code of: 200 OK to indicate that everything went
fine.


To return a different status code, use the
setStatus() method of the HttpServletResponse
object.


Be sure to set the status code
before

sending any
document content to the client.


HTTP Requests & Responses

16

Using setStatus()


setStatus takes an integer value. But, it’s best to use the
predefined integers in the HttpServletResponse. Here are a
few:


SC_BAD_REQUEST



Status code (400) indicating the request sent by the client
was syntactically incorrect.


SC_FORBIDDEN



Status code (403) indicating the server understood the
request but refused to fulfill it.


SC_INTERNAL_SERVER_ERROR



Status code (500) indicating an error inside the HTTP server
which prevented it from fulfilling the request.


SC_NOT_FOUND


Status code (404) indicating that the requested resource is
not available.






HTTP Requests & Responses

17

Sending Redirects


You can redirect the browser to a different URL by
issuing a Moved Temporarily Status Code:


SC_MOVED_TEMPORARILY
:
Status code
(302) indicating that the resource has
temporarily moved to another location.


Because this is so common, the HttpServletResponse
interface also has a sendRedirect() method.


Example:

res.sendRedirect( “
http://www.yahoo.com
”);

HTTP Requests & Responses

18

Example: Search Engines

HTTP Requests & Responses

19

Multiple Search Engines

SearchEngines Servlet


Enables users to submit a search query to
one of four search engines.


Google


AllTheWeb


Yahoo


AltaVista, etc.


The code exploits the HTTP Response Header
to redirect the user to the correct search
engine.

HTTP Requests & Responses

20

Architecture

Web

Browser

SearchEngines

Servlet

“I want to search for

Bill Gates on Google”

“Go to Google”

Google

“I want to search for

Bill Gates on Google”

“Your results…”

HTTP Requests & Responses

21

SearchSpec.java


The SearchSpec object contains information
about connecting to a specific search engine


public String makeURL (String searchString, String
numResults)


You provide this method with a search string and
the number of results, and it returns the URL and
search query specific to Google, Yahoo, HotBot,
etc.


Class is contained in SearchEngines.java on acad

HTTP Requests & Responses

22

SearchUtilities.java


The SearchUtilities.java code has an
array of SearchSpec objects: one for
Google, one for Yahoo, etc.


It also provides a makeUrl method…

HTTP Requests & Responses

23

SearchEngines.java


The main servlet code.


This code:


Extracts the searchEngine parameter.


If no such parameter exists, it sends an
HTTP Error.


Otherwise, it calls SearchUtilities to
construct the correct URL.


Finally, it redirects the user to this new
URL.

HTTP Requests & Responses

24

Example: Basic Web Security

HTTP Requests & Responses

25

HTTP Authentication


The HTTP Protocol Includes a built
-
in
authentication mechanism.


Useful for protecting web pages or servlets
that require user name / password access.


First, let’s examine the basic mechanism and
the HTTP Headers involved.


Then, let’s figure out how to build a servlet
that exploits this mechanism.

HTTP Requests & Responses

26

Basic Authentication

1)
If a web page is protected, the Web Server
will issue an authentication “challenge”:

HTTP/1.1 401 Authorization Required

Date: Sun, 27 Aug 2000 17:51:25 GMT

Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0
mod_ssl/2.6.6 OpenSSL/0.9.5a

WWW
-
Authenticate: BASIC realm="privileged
-
few"

Keep
-
Alive: timeout=90, max=150

Connection: Keep
-
Alive

Transfer
-
Encoding: chunked

Content
-
Type: text/html



HTTP Requests & Responses

27

WWW
-
Authenticate: BASIC realm=“realm"


When you issue a return status code of 401,

“Authorization Required”, you need to tell the
browser what type of authentication is required.


You do this via the WWW
-
Authenticate Header. This
header has two parameters:


BASIC: Basic authorization requiring user name
and password.


Realm: you can create multiple “realms” of
authentication for different users, e.g. “Admin”,
“User”, “Super_User”, etc.


WWW
-
Authenticate

HTTP Requests & Responses

28

Basic Authentication Cont.

2)
Upon receiving an authentication challenge, the
browser will prompt the user with a pop
-
up box
requesting the user name and password.

3)
Browser takes the “
username:password”

from
the user and encrypts it using the
Base 64

Encoding Algorithm.


For example: if the string is “marty:martypd”, the Base 64
string is “
bWFydHk6bWFydHlwdw==



We will not cover the details of Base 64, but remember that
Base 64 is easy to decode. Therefore, even if your page is
protected, someone can easily intercept your Base 64
string and decode it.

HTTP Requests & Responses

29

Basic Authentication Cont.

4)
The browser reissues the request for the
page. In the HTTP request, the browser
indicates the Authorization string:


GET /servlet/coreservlets.ProtectedPage HTTP/1.1

Accept: image/gif, */*

Accept
-
Language: en
-
us

Accept
-
Encoding: gzip, deflate

User
-
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)

Host: www.ecerami.com

Connection: Keep
-
Alive

Authorization: Basic bWFydHk6bWFydHlwdw==



HTTP Requests & Responses

30

Basic Authentication Cont.

5.
Web Server checks the user name and
password.


If User Name/Password is correct, web
server displays the protected page.


If the User Name/Password is incorrect,
web server issues a second
authentication challenge.

HTTP Requests & Responses

31

Almost there…


Before we examine the actual servlet
code, there are two pieces of Java
coding we need to examine:


sun.misc.BASE64Decoder.


java.util.Properties


HTTP Requests & Responses

32

Base 64 Encoding


Sun provides a class called:
sun.misc.BASE64Decoder.


You can use the decodeBuffer() method to
decode the Base 64 String sent from the
user:

String userInfo = “
bWFydHk6bWFydHlwdw==


BASE64Decoder decoder = new BASE64Decoder();

String nameAndPassword =


new String(decoder.decodeBuffer(userInfo));



After this code, nameAndPassword will be set to “marty:martypd”

HTTP Requests & Responses

33

java.util.Properties


A utility class for reading in property files.


For example, suppose you have the following
password.properties file:

#Passwords

#Sat Aug 26 11:15:42 EDT 2000

nathan=nathanpw

marty=martypw

lindsay=lindsaypw

bj=bjpw

HTTP Requests & Responses

34

java.util.Properties


You can easily and automatically load
the password file and parse its
contents:

passwordFile = "passwords.properties";

passwords = new Properties();

passwords.load(new FileInputStream(passwordFile));


Then, you can extract the password for
a specific user name:

String password = properties.getProperty ("marty“);


HTTP Requests & Responses

35

ProtectedPage.java


Here’s how the Servlet Works:

1)
Initialization: Read in a Password file of valid
user names and passwords.

2)
Check for the HTTP Authorization Header.

3)
Decode the Authorization Header using Base 64
to obtain user name and password.

4)
Check the User Name and Password against the
valid names list.


If valid, show protected page.


Else, issue another authentication challenge.


HTTP Requests & Responses

36

Form Authentication System


BASE64 not secure


Need secure solution!


Use HTML form


Example: FormAuthenticate


Access of servlet attempts to access protected data


User redirected to login form web page


Example takes any combination


Once authenticated, redirected to desired page


Session object used to store desired destination during
login diversion

HTTP Requests & Responses

37

Summary


Lots of hidden HTTP data, including
headers and cookies are sent from
browser to the server.


HTTP Header data can also be sent
from server to the browser, e.g. error
codes, redirection codes, etc.