Authentication is a technique of identification based on knowledge. HTTP provides natural functionality of HTTP authentication. In this article, Emilio will concentrate on basic authentication, which is more widespread among clients and Web servers but also less secure.

The HTTP protocol offers us a challenge-response authentication mechanism which can be used by a Web or proxy server to grant or refuse access to resources on the network.

Nowadays, the Net is witness to millions of transactions, as well as providing both public and confidential data. The network makes it all possible, but in order to maintain security we must know who has got access to our sensitive data and who can perform privileged operations.

One must be sure than unauthorised users cannot browse documents which they do not have access to. Servers must somehow find out who the user in question is and, using that information decide what kind of action they can take.

Authentication is a technique of identification based on knowledge, that is - on something the user knows, like a password or a PIN number. HTTP provides natural functionality of HTTP authentication. In reality, HTTP defines two official authentication protocols: basic and digest. Here I will concentrate in particular on basic authentication, which is more widespread among clients and Web servers but also less secure.

Figure 1. Web servers on the Internet

These are the scopes of using this method of authentication:

• Web servers on the Internet - this is the most common scenario. From home or an Internet cafe, the user accesses a website with configured HTTP authentication, in order to obtain access to some of its resources. Just by having a look at some corporate web pages one can notice a large number of pages which make use of this kind of authentication in order to allow one to enter restricted sections of the page.

• Web servers on an intranet - in this case the scope of operation is narrower, as it is limited to the company intranet only. Then again, problems associated with this kind of authentication are the same as in the previous situation - any resource available on the network will be just as vulnerable.

Figure 2. Web servers on an intranet

• Proxy servers on the Internet - it might happen that e.g. surfing to certain resources of a particular network can only be achieved by going through the proxy server of that institution, or the same having been implemented to control any kind of access. Therefore, HTTP authentication can also be implemented in a proxy, so that all data goes through the Internet too.

• Proxy servers on an intranet - it is a very popular situation for a corporate network to allow access to the Internet only through a proxy server, the aim of which is to have full control over Internet use. Therefore, it is completely natural in this case to configure the proxy server to demand authorisation in order to control the users' access to the network. Typically this type of authorisation is integrated with other mechanisms available on the intranet; to make things worse there may be Single Sign On in place, which we will discuss later.

A d v e r t i s e m e n t

sum:

0 €