Login Authentication

Login is the process of obtaining a user ID and password from the client. The information may be automatically carried or it may be prompted.

Commonly, login schemes are conflated with realms, which in iSMO channels represent credentials authentication schemes. A logon authentication scheme is a protocol that defines the challenge sent by the server in response to a request for a secure resource and the exchange of security information between client and server in response to the challenge. Currently, NHTTP and NAS2 support two authentication schemes, HTTP Basic and Digest Access authentication, as defined in RFC 2617. The NHTTP emitter and HttpClient provider will respond to either challenge appropriately if the emitter is configured with a username and password. Authentication on the NHTTP listener can be tested with a browser.

With basic authentication, you should see:

  1. The server responds to the initial request with 401 status code and a challenge that looks like:
    WWW-Authenticate: Basic realm="realm name"

    The realm name in our challenges will always match the name of the configured realm in the server.

  2. The client responds to the challenge by adding a header to its request that looks like this:
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    The secret looking string after "Basic" contains the username and password with Base-64 encoding.

    If you are using digest authentication, the challenge and response look like this:

  1. Challenge:
    WWW-Authenticate: Digest realm="realm name",
                      qop="auth",
                      nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                      opaque="5ccc069c403ebaf9f0171e9517f40e41"

    The server, desiring credentials, passes the request to the client along with a newly-created random number, called a nonce. The client hashes this nonce along with the user ID, the realm name and the password (plus a few other things) to create a message digest containing the hash code.

  2. Response:

    The server performs the same calculation, but using its stored password.

    Authorization: Digest username="Mufasa",
                          realm="realm name",
                          nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                          uri="/dir/index.html",
                          qop=auth,
                          nc=00000001,
                          cnonce="0a4f113b",
                          response="6629fae49393a05397450978507c4ef1",
                          opaque="5ccc069c403ebaf9f0171e9517f40e41"

The response should match the value computed by the server. The actual password never appears on the line.

Other protocols obtain their logon user ID and password based on the RFC controlling their operation. The FTP Server channel and the telnet command channel are cases in point. Regardless of the mechanism used to obtain the user ID and password, however, the credentials authentication mechanism remains the same.


iWay Software