8: Authentication · Big Bee Consultants Ltd

21 Jan 2001

Users can log into HTTP sites via various mechanisms including:

Basic authentication: the server challenges the client, the web browser may prompt the user for username & password and sends them with subsequent requests. The credentials are not protected from snoopers.
Digest authentication: the server challenges the client, the web browser may prompt the user for username & password and sends them with subsequent requests. The credentials are protected from snoopers.
Certificate authentication: the server challenges the client for a certificate and the client sends it, if it can. This is discussed on the previous page.
Form authentication: the website includes a form for username & password, and then a cookie token is used. This topic is beyond the scope of this tutorial, but is supported via cookies.
OpenID or OAuth: a separate OpenID/OAuth service validates the username, password etc, and then some cookies containing OpenID or OAuth tokens are used. This topic is beyond the scope of this tutorial, but is supported via cookies and other headers as needed.

Bee-client supports basic and digest authentication directly, and the others indirectly. NTLM and KerberosV5 are not supported at present, although the API allows you to send the necessary headers if you know them.

Authentication always demands that the traffic is encrypted using HTTPS. Nowadays, it is hard to justify not doing so, even for private LAN traffic.

Basic Authentication

* Hand-Implemented Case: Just Send The Authentication Header

When a server is protected by basic authentication, any simple attempt to access protected URLs will be rejected with a 401 status (authentication required). This example illustrates this:

...  imports
object Example6a1 extends App {
  val url = "http://beeclient/private/lorem2.txt"
  val httpClient = new HttpClient
  val response401 = httpClient.get(url) // no authentication
  println(response401.status)
  println(response401.headers(HeaderName.WWW_AUTHENTICATE).toAuthenticateValue)
}

Clearly, a rejection is unsatisfactory. If we know a correct username and password, we can supply them via a Credential instance:

...  imports
object Example6a2 extends App {
  val url = "http://beeclient/private/lorem2.txt"
  val httpClient = new HttpClient
  val credential = new Credential("bigbee", "HelloWorld")
  val login = Headers(credential.toBasicAuthHeader)
  val response200 = httpClient.get(url, login) // with authentication
  println(response200.status)
  println(response200.body)
}

The server confirms that the correct authentication was sent and responds with 200 and the normal content.

* Automatic Case: Use HttpBrowser with an AuthenticationRegistry

HttpClient and HttpBrowser both implement the Http client trait. HttpClient is intended for normal simple cases. HttpBrowser augments it with the ability to aggregate cookies and authentication state automatically. Although HttpBrowser contains mutable state, it is safe to share instances between more than one thread.

For the purposes of authentication, you need to construct a CredentialSuite and pass it to the HttpBrowser. CredentialSuite contains the mappings between authentication realms and their credentials, so you construct it with a Map of realm names to Credential instances like this:

...  imports
object Example6b extends App {
  val url = "http://beeclient/private/lorem2.txt"
  val credential = new Credential("bigbee", "HelloWorld")
  val suite = new CredentialSuite(Map("Restricted" -> credential))
  val browser = new HttpBrowser(credentialSuite = suite)
  val response200 = browser.get(url)
  println(response200.status)
  println(response200.body)
}

On the first occasion, the HttpBrowser will internally make two requests: the first one returns a 401 and the name of a realm. Given that the CredentialSuite maps that realm to the necessary username/password combination, a second attempt is made on the same request, this time with the authentication header. The result is a 200 and the expected response body.

The HttpBrowser caches the URL-to-realm association so that subsequent requests to the same URL tree do not need to suffer the double round trip, which is good news for network latency.

Digest Authentication

(in preparation)