only for RuBoard - do not distribute or recompile Previous Section Next Section

1.12 Authorization

An Authorization header is used to request restricted documents. Upon first requesting a restricted document, the web client requests the document without sending an Authorization header. If the server denies access to the document, the server specifies the authorization method for the client to use with the WWW-Authenticate header. At this point, the client requests the document again, but with an Authorization header.

The Authorization header is of the general form:

Authorization: SCHEME REALM

The authorization scheme generally used in HTTP is BASIC, and under the BASIC scheme the credentials follow the format username:password encoded in base 64. For example, for the username of webmaster and a password of zrqma4v, the Authorization header would look like this:

Authorization: Basic d2VibWFzdGVyOnpycW1hNHY=

When d2VibWFzdGVyOnpycW1hNHY= is decoded using base 64, it translates into webmaster:zrqma4v.

For example, a client requests information that requires authorization, and the server responds with response code 401 (Unauthorized) and an appropriate WWW-Authenticate header describing the type of authentication required:

GET /sample.html HTTP/1.0
User-Agent: Mozilla/1.1N (Macintosh; I; 68K)
Accept: */*
Accept: image/gif
Accept: image/x-xbitmap
Accept: image/jpeg

The server then declares that further authorization is required to access the URL:

HTTP/1.0 401 Unauthorized
Date: Sat, 20-May-95 03:32:38 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html
WWW-Authenticate:  BASIC realm="System Administrator"

The client now seeks authentication information. Interactive GUI-based browsers might prompt the user for a user name and password in a dialog box. Other clients might just get the information from an online file or a hardware device.

The realm of the authentication scheme indicates the type of authentication requested. Each realm is defined by the web administrator of the site and indicates a class of users: administrators, CGI programmers, registered users, or anything else that separates one class of authorization from another. After encoding the data appropriately for the BASIC authorization method, the client resends the request with proper authorization:

GET /sample.html HTTP/1.0
User-Agent: Mozilla/1.1N (Macintosh; I; 68K)
Accept: */*
Accept: image/gif
Accept: image/x-xbitmap
Accept: image/jpeg
Authorization: BASIC d2VibWFzdGVyOnpycW1hNHY=

The server checks the authorization, and upon successful authentication, sends the requested data:

HTTP/1.0 200 OK
Date: Sat, 20-May-95 03:25:12 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html
Last-modified: Wednesday, 14-Mar-95 18:15:23 GMT
Content-length: 1029

[Entity-body data]

There's also something called Digest authentication. The Digest authentication scheme provides security benefits over the BASIC scheme. Unfortunately, the major web browsers do not support it, and web sites tend not to make use of it for this reason. There are some HTTP client libraries that make use of it, however. See RFC 2617 for more information about the Digest format.

only for RuBoard - do not distribute or recompile Previous Section Next Section