HTTP-Basic Authentication

Millions of of people are using the Web for private transactions, accessing private data. This information can be easily accessed through the Web, but it is not enough to access it easily. We want to make sure that only certain people can see our sensitive information and be able to perform our privileged affairs. Not all of the information can be published publicly. The server needs some way to understand the user's identity. Once the server knows the user's identity, it can determine which transactions and resources the user can access. Authentication is usually done by providing a user name and password. Basic authentication is a native challenge/response framework provided by HTTP, which simplifies the authentication process for users.

Basic Certification Steps

Describes the process of a Basic authentication:

1. The client sends a request without authentication information (see (a)).
2. The server needs to challenge the user, returning a 401 unauthorized response and explaining how and where to authenticate in the Www-authenticate header (see (b)).
3. The client side program makes the request, but it attaches the encrypted password and some other authentication parameters at the authentication header (see (c)).
4. When the authorization request completes successfully, the server returns a normal status code (for example, OK), and for the Advanced authentication algorithm, some additional information may be attached to the Authentication-info header (see (d)).

Security Domain

The Www-authenticate Challenge contains a realm directive. The WEB server organizes the protected documents into a secure domain (security realm). Each security domain can have a different set of authorized users.

BASE-64 encoding

HTTP Basic Authentication Packages The user name and password (separated by colons) and encodes it with Base-64 encoding. Shows a Basic authentication instance using BASE-64 encoding:

Agent Certification

The intermediary proxy server can also implement the authentication function. Some organizations use a proxy server to authenticate users before they access a server, LAN, or wireless network. Access policies can be centrally managed on the proxy server, so providing unified access control over the resources within an organization through a proxy server is a convenient way. The first step in this process is to identify identities through proxy authentication.

The steps for agent authentication are the same as for Web server authentication. But the header and the status code are different. The following table lists the differences between the status code and the header used by the WEB server and the agent in authentication.

Web Server	Agent
Authorized Status code:401	Authorized Status code:407
Www-authenticate	Proxy-authenticate
Authorization	Proxy-authorization
Authorization-info	Proxy-authorization-info

HTTP-Basic Authentication