Authorization
An Authorization
header is used to request restricted
documents. Upon first requesting a restricted document, the web
client requests the document without sending an
Authorization
header. If the server denies access
to the document, the server specifies the authorization method for
the client to use with the WWW-Authenticate
header. At this point, the client requests the document again, but
with an Authorization
header.
The Authorization
header is of the general form:
Authorization: SCHEME REALM
The authorization scheme generally used in HTTP is
BASIC,
and under the BASIC scheme the credentials follow the format
username:password
encoded in base 64. For
example, for the username of webmaster
and a
password of zrqma4v
, the
Authorization
header would look like this:
Authorization: Basic d2VibWFzdGVyOnpycW1hNHY=
When d2VibWFzdGVyOnpycW1hNHY=
is decoded using
base 64, it translates into
webmaster:zrqma4v
.
For example, a client requests information that requires
authorization, and the server responds with response code 401
(Unauthorized) and an appropriate
WWW-Authenticate
header describing the type of authentication required:
GET /sample.html HTTP/1.0 User-Agent: Mozilla/1.1N (Macintosh; I; 68K) Accept: */* Accept: image/gif Accept: image/x-xbitmap Accept: image/jpeg
The server then declares that further authorization is required to access the URL:
HTTP/1.0 401 Unauthorized Date: Sat, 20-May-95 03:32:38 GMT Server: NCSA/1.3 MIME-version: 1.0 Content-type: text/html WWW-Authenticate: ...
Get HTTP Pocket Reference now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.