Java News Tips Software
Java News Tips Software | Contact | Facebook | Twitter RSS

Http basic authentication header: Learn with Java code sample

HTTP basic authentication with headers is one of the username & password based methods of securing access to web sites, web applications and web services. Purpose of this article is to analyze the details of this approach by explaining how to encode a pair of username & password as a basic authentication header string as well as to decode the authentication string generated from the web clients like browser or soapIU; and the example is implemented with Java.

Isn't username and password send to server?

When username and password is entered into the pop-up in Web browser (or by similar manner in other web clients) those are not send to server as they are, but send after encoding in a way that the receiving server side can decode and extract the username and password to check the validity. This encoding approach is not secure as the encryption approaches like AES.

Sample request with basic authentication header for username="Aladdin" and password="open sesame" looks as below.

GET /myweb/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Web clients create a string by concatenating the username and password with a colon (":") as username:password. Then it is encoded in base 64 and is sent to the server, so that the server can do the reverse to extract username and password.

Example Program

Code example imports a class named Imported class named org.apache.commons.codec.binary.Base64 from commons-codec-1.6 available at http://commons.apache.org/codec/download_codec.cgi. Please download it yourself and add the commons-codec-1.6.jar file to the CLASSPATH.

package org.kamal.http.basicauth;

import org.apache.commons.codec.binary.Base64;

public class HttpBasicAuthenticationHeader {

 public static void main(String[] args) {
  
  final String username = "Aladdin";
  final String password = "open sesame";
  
  System.out.println("Input\t: username [" + username + "], password [" + password + "]");
  
  final String encodedText = createEncodedText(username, password);
  System.out.println("Encoded Text : " + encodedText);
  
  final String[] userDetails = decode(encodedText);
  System.out.println("Decoded\t: username [" + userDetails[0] + "], password [" +  userDetails[1] + "]");
  
 }

 private static String[] decode(final String encodedString) {
  final byte[] decodedBytes = Base64.decodeBase64(encodedString.getBytes());
  final String pair = new String(decodedBytes);
  final String[] userDetails = pair.split(":", 2);
  return userDetails;
 }

 private static String createEncodedText(final String username, final String password) {
  final String pair = username + ":" + password;
  final byte[] encodedBytes = Base64.encodeBase64(pair.getBytes());
  return new String(encodedBytes);
 }

Output of the program:

Input : username [Aladdin], password [open sesame]
Encoded Text : QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Decoded : username [Aladdin], password [open sesame]

As you can see the above program can encode and decode as expected.

Constraints

As per the related RFC (http://www.ietf.org/rfc/rfc2617.txt); username can not contain any colons, but password has no such restrictions. So it is easy to select the username by splitting the string till the first colon is reached.

Risk involved

This encoded string is passed to the server in plain text. Even though the username and password are hidden in a way; as you may have already guessed, it is not safe at all to use http basic authentication as decoding is straightforward and quite simple. So when ever this approach is used, it is advised to use a secure channel like HTTPS rather than HTTP.

Labels: , , ,


10 Comments

  1. Anonymous Anonymous on July 01, 2012 5:37 PM  
    I used sun.* library earlier, but apache one useful. thanks.
  2. Good write-up. Personally, I've actually ended up using javax.xml.bind.DatatypeConverter to do the base64 encoding, since it's included in Java SE since 6.0. (And I don't even like JAXB)
  3. Hi Johannes,
    Glad to hear this helped you, and thanks for the encouragement.
    KIT.
  4. good stuff kamal
  5. Thanks Ruka.
  6. Anonymous Anonymous on July 13, 2012 1:52 PM  
    HI Kamal,

    Can you provide complete java sample code for setting up HTTPS Basic authentication header and invoking a POST interface?

    Regards,
    Nasir
  7. Anonymous Anonymous on October 09, 2012 11:43 PM  
    Hi can you please provide java spring integration example to set basic authentication using header enricher
  8. Great post, what you said is really helpful to me. I can’t agree with you anymore. I have been talking with my friend about, he though it is really interesting as well
  9. Anonymous Anonymous on February 28, 2014 6:36 AM  
    This comment has been removed by a blog administrator.
  10. you can try this free online service to convert base64 to string online.
ABOUT AUTHOR
Page Views :
Email :
PREVIOUS ARTICLES
Select Month:
TOP
Free counter and web stats