Topic - HTTP Basic Authentication
Topic - HTTP Basic Authentication Topic - HTTP Basic Authentication
from forum Administration and Deployment
 forum index   my profile   search 
 new topic  post reply NetKernel Support -> Administration and Deployment -> HTTP Basic Authentication
moderators: pjr tab
HTTP Basic Authentication
jdeane
Joined: 28-July-2007
Posts: 62
Location: Boston, MA USA
Posted: 1-November-2007 16:30
I noticed that by default the back-end fulcrum prompts for a user-name password. Is this using HTTP Basic Authentication?

And can this be done on the front-end?

Or should we use a URI Gateway? And if we used a URI Gateway would the user/name password be passed as an encoded paramter or would it have been decoded already and passed along as username & password paramters?

Note I would like to keep the requests stateless. So the user-name and password will be passed everytime.
Authentication
RandyKahle
Joined: 15-February-2005
Posts: 127
Location: Fort Collins, CO
Posted: 1-November-2007 16:43
In the standard NetKernel installation authentication is not set up for either the frontend or backend fulcrums.

Is this something that you want to set up for your installation?

Randy
HTTP Basic Authentication & NetKernel
jdeane
Joined: 28-July-2007
Posts: 62
Location: Boston, MA USA
Posted: 1-November-2007 17:00
I am trying to come up the most efficient and maintainable way of implementing authentication for our web services. HTTP supports Basic Authentication by allowing a client to submit a user/name password. I believe these are encoded into one value. I wanted to know whether the encoded value would be passed onto a URI Gateway or would the Jetty or HTTP Bridge code have already decoded and attached them as parameters.
RandyKahle
Joined: 15-February-2005
Posts: 127
Location: Fort Collins, CO
Posted: 1-November-2007 17:19
You need to add the Jetty HTTP authentication handler.

This topic: http://www.1060.org/forum/topic/265/1 should cover the details.

Randy
HTTP Basic Authentication Followup Questions
jdeane
Joined: 28-July-2007
Posts: 62
Location: Boston, MA USA
Posted: 7-December-2007 19:53
If basic authentication enabled on the backend fulcrum, a username/password is required. We tested this using a browser and a JMeter test. But we have run into issues:

1. Why is a GET restricted but a POST passes through without credentials?

2. Once the request passes through the http bridge, how can one access the username from within a Java Accessor?
GET vs POST authentication
rip
Joined: 13-June-2007
Posts: 12
Posted: 7-December-2007 21:05
Regarding question (1):
Each of the HTTP verbs must be locked down.  If you lock the admin
interface using a configuration handler given in:
http://www.1060.org/forum/topic/265/2
only the GET verb is included (so any "typical URL-only request from the
browser to NK is covered).  Including the other
verb names in this same type of setup will secure these other
verbs as well. 
HTTP Basic Authentication - Obtain userid argument
jdeane
Joined: 28-July-2007
Posts: 62
Location: Boston, MA USA
Posted: 10-December-2007 19:21
1. Modify the HTTPBridgeConfig to pass authorization header
<passHeaders>Authorization</passHeaders>


2. Within Java Accessor, source Authorization Header

String authorizationHeader = ((IAspectString)context.sourceAspect
    ("this:param:Authorization",IAspectString.class)).getString();


3. Parse Authorization String


Basic ZXNiOm715Gs1cm41bA==


a. Remove Basic

b. Decode ZXNiOm715Gs1cm41bA==

c. Extract userid from userid:password
 new topic  post reply  To find out about new replies to this post as they occur
please subscribe to one of these feeds: 		AtomRSS moderate 
© 2003-2006, 1060 Research Limited. 1060 registered trademark, NetKernel trademark of 1060 Research Limited.