How to Authenticate in HTTP World: the beginning of a secure transaction

Let’s start with a look at the communications that occur between a browser and a web container when the client asks for a secure resource on the web site. It’s BASIC, really.

The HTTP perspective...

1 The browser makes a request for a web resource, “update.jsp”.

2 The server determines that “update.jsp” is a constrained resource.

3 The container sends back an HTTP 401 (“Unauthorized”), with a www-authenticate header and realm information.

4 The browser gets the 401, and, based on the Realm info, asks the user for his username and password.

5 The browser asks for “update.jsp” again (stateless, remember), but this time the request includes a security HTTP header, and a username and password.

6 The Container verifies that the username and password match, and if they do, performs authorization.

7 If all the security stuff is good, the Container returns the HTML, if not it returns another HTTP 401...

Get Head First Servlets and JSP, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Head First Servlets and JSP, 2nd Edition by Kathy Sierra, Bryan Basham, Bert Bates

How to Authenticate in HTTP World: the beginning of a secure transaction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly