Opened 13 years ago

Closed 10 years ago

#610 closed (fixed)

Webservice authentication should support Basic authentication

Reported by: Gregory Vincic Owned by: olle
Milestone: Proteios SE 2.18.0 Keywords:
Cc:

Change History (11)

comment:1 Changed 12 years ago by Gregory Vincic

Owner: changed from Gregory Vincic to olle

comment:2 Changed 10 years ago by Fredrik Levander

Milestone: Proteios SE Future ReleaseProteios SE 2.18.0

comment:3 Changed 10 years ago by olle

Status: newassigned

Ticket accepted.

Last edited 10 years ago by olle (previous) (diff)

comment:4 Changed 10 years ago by olle

Traceability note:

The web service is managed by class/file Service.java in client/servlet/.

  • The web service was redesigned in Ticket #546 (Concurrency bug in webservice).
  • The latest update of the web service was in Ticket #669 (Allow file compression via web service).

comment:5 Changed 10 years ago by olle

Design discussion - general:

Background:

Basic authentication is an HTTP method for sending username and password to a web application as an "Authorization" header:

  1. Username and password are combined into a string, separated by a colon; e.g. for username "john" and password "cow", the string would be "john:cow".
  2. The combined username:password string is encoded using Base64, e.g. for "john:cow" the result is "am9objpjb3c=".
  3. The Base64-encoded string is prefixed by the authorization method name and a space, i.e. "Basic ", and sent as the HTTP "Authorization" header, e.g. for "john:cow" the string "Basic am9objpjb3c=".

The original method for sending log-in credentials to the Proteios SE web service was to send them as parameters "username" and "password", e.g.

http://localhost:8080/proteios/resource/projects?username=john&password=cow

It should be emphasized that basic authentication is not safer than this method, as the HTTP header can be intercepted and the Base64-encoded string decoded. If security is essential, a secure connection should be used in both cases, e.g. https or other method implementing SSL/TLS.

The ability hinted to in the ticket description of using basic authentication by prefixing the url address part with a string composed of username and password separated by a colon and followed by an '@' character, e.g. for username "john" and password "cow"

http://john:cow@localhost:8080/proteios/resource/projects

depends on the client used to send the HTTP request. Web browsers like FireFox 15.0.1 do not seem to support it, when the url is entered directly. However, web client cURL (http://curl.haxx.se/) supports it, so a command like

curl "http://john:cow@localhost:8080/proteios/resource/files?select=Name"

will list the names of files for user "john".

Last edited 10 years ago by olle (previous) (diff)

comment:6 Changed 10 years ago by olle

Design discussion - implementation:

  • Basic authentication should be an alternative to the default one sending username and password as parameters to the HTTP request - the latter method should still work, since it have the benefit of working directly in web browsers, although methods PUT and DELETE normally isn't supported.
  • The web service should first check if username and password are sent as parameters to the HTTP request, and if not, check in the "Authorization" header for basic authentication.
  • Class/file io/Base64Util.java in api/core/ should be extended with new public static methods String decode(String dataString) and String encode(String dataString). The encoding method is not needed for implementing basic authentication in the web service, but is included to keep the API of Base64Util consistent, and is convenient for testing basic authentication.
  • Class/file Service.java in client/servlet/ should be updated in private method SessionControl authenticate(HttpServletRequest request) to check if username and password are sent as parameters to the HTTP request, and if not, check in the "Authorization" header for basic authentication.

comment:7 Changed 10 years ago by olle

(In [4381]) Refs #610. Proteios SE web service updated to support basic authentication.

  1. Class/file io/Base64Util.java in api/core/ should be extended with new public static methods String decode(String dataString) and String encode(String dataString). The encoding method is not needed for implementing basic authentication in the web service, but is included to keep the API of Base64Util consistent, and is convenient for testing basic authentication.
  2. Class/file Service.java in client/servlet/ should be updated in private method SessionControl authenticate(HttpServletRequest request) to check if username and password are sent as parameters to the HTTP request, and if not, check in the "Authorization" header for basic authentication.

comment:8 Changed 10 years ago by olle

Design update:

It turns out that some web clients, including FireFox 15.0.1, only sends a basic authentication header if the web service returns a first request with response status 401 (HttpServletResponse.SC_UNAUTHORIZED). The response is expected to have a "WWW-Authenticate" header indicating the realm for basic authentication, and contain a message requesting username and password. If credentials are supplied in the URL of the type http://username:password@localhost:8080/proteios/resource/..., FireFox will send them directly in the second request, otherwise a log-in pop-up dialog will allow the user to enter them (this will also occur when the credentials are wrong, giving the user a chance to give correct log-in data). Only if the log-in pop-up dialog is canceled, will the error response from the web server for the initial request be shown.

  • A request with insufficient or wrong credentials currently leads to exceptions being thrown. In order for the web service to support sending an appropriate response to a first request with insufficient credentials, these exceptions have to be caught.
  • The entry points to the web service servlet Service.java in client/servlet/ are the four protected methods doGet(), doPost(), doPut(), and doDelete(), each with two arguments HttpServletRequest request and HttpServletResponse response. In all four methods, the first command is a call to private method RequestData startRequest(HttpServletRequest request, HttpServletResponse response) to get a RequestData object. Method startRequest() in turn calls private method SessionControl authenticate(HttpServletRequest request) to get a SessionControl object to use.
  • Method authenticate() will throw an exception if credentials are insufficient or wrong. Even if the exception thrown by authenticate() is caught be startRequest(), the latter will throw an exception, since it did not obtain a valid SessionControl object from authenticate().

Proposed changes to Service.java:

  1. The four methods that are entry points to the web service are changed to catch any exceptions being thrown inside them. In order to clarify the code, all commands except the call to startRequest() will be broken out and put into a new method with the same name as the original method, but with "AuthenticationOk" added to the end, e.g. method doGet(...) will call startRequest() and doGetAuthenticationOk(..., RequestData data).
  2. Private method RequestData startRequest(HttpServletRequest request, HttpServletResponse response) will be updatet to catch exception being thrown by method authenticate(...), and to send a 401 HttpServletResponse.SC_UNAUTHORIZED error response. In the "WWW-Authenticate" header, the realm is addressed as "Proteios".
  3. Private method SessionControl authenticate(HttpServletRequest request) will be updated to use credentials from basic authentication over any given as parameters to the request. If a web browser is used, this will allow the user the possibility of giving the correct credentials in a log-in pop-up dialog, if the ones given as parameters are wrong (if the priority wasn't changed, the wrong parameter credentials would be tried again, and result in a new log-in pop-up dialog being shown in a never-ending loop).
Last edited 10 years ago by olle (previous) (diff)

comment:9 Changed 10 years ago by olle

(In [4383]) Refs #610. Proteios web service basic authentication updated to send a response with status 401 (HttpServletResponse.SC_UNAUTHORIZED) to a request with insufficient or wrong credentials. The response has a "WWW-Authenticate" header indicating the realm for basic authentication as "Proteios". Also, basic authentication credentials will now be used over any credentials being sent as parameters.

comment:10 Changed 10 years ago by olle

Proteios SE Webservice wiki page updated with new section on basic authentication (changeset [20]).

comment:11 Changed 10 years ago by olle

Resolution: fixed
Status: assignedclosed

Ticket closed since the desired support has been added.

Note: See TracTickets for help on using tickets.