About
Basic Access Authentication is an Authentication mechanism for HTTP request.
To be authenticated, the request should have:
- the header authorization
- and its value should have this format:
- the basic prefix
Example
Authorization: Basic dXNlcjpwYXNzd29yZA==
where:
- Authorization is the authorization header
- Basic dXNlcjpwYXNzd29yZA== is the value where:
Oauth encode them both using the application/x-www-form-urlencoded encoding algorithm 1)
Security: HTTPS mandatory
HTTPS is always used in conjunction with Basic Authentication.
Why? Because Basic access authentication uses the Base64 encoding. It is a public reversible encoding scheme, meaning that you can decrypt the value without any secret.
You should then encrypt the network traffic with HTTPS (TLS) so that the whole request is not readable by a man in the middle
Clients
How to make a Browser ask for credentials?
You can ask a browser to take care of the user/password dialog prompt.
Sequences:
- A request is send to the HTTP server without the authorization header
- The HTTP server returns a 401 response (Unauthorized) with a WWW-Authenticate as header.
- The browser asks you for your credentials (ie shows a user/password dialog prompt)
- The browser send them with every request
In a sequence diagram:
sequenceDiagram
participant User
participant Browser
participant Server
User->>Browser: Enter URL in the browser or click a link
Browser->>Server: Send GET HTTP Request
Server->>Browser: Return 401 status with WWW-Authenticate Header
Browser->>User: Enter your credentials in this form
User->>Browser: Done
Browser->>Server: Send GET HTTP Request with HTTP authorization header
Server->>Browser: Validated, here, the HTML page (or any other resources)
Browser->>User: Load the HTML page and shows it to the User
Soap UI
In Soap UI, you can enter the credentials in the Auth tab.
Documentation / Reference
- 2015: RFC 7617 (obsoletes RFC 2617).