Tuesday, January 29, 2008

Sending "Authorization" header with initial HTTP request

If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header. This prompts the browsers to pop-up the username/password dialog box. When the user types in the username and password, these credentials are sent, base64 encoded, in the next request as part of the "Authorization: basic" header.

If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:

Cookie: OBBasicAuth=fromDialog

To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):


Cookie: OBBasicAuth=fromDialog
Authorization: Basic Z3Vlc3Q6cGFzc3dvcmQxMjM0

Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.
Posted by at
Labels: , ,

1 comment:

  1. Filipe SilvaMay 20, 2008 at 2:19 AM

    You miss to mention that the encoding is made of user:password not user/password

    ReplyDelete

Subscribe to: Post Comments (Atom)