Java Glossary : authentication

CMP home Java glossary home Menu no menu Last updated 2004-06-28 by Roedy Green ©1996-2004 Canadian Mind Products

Java definitions: 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

You are here : home : Java Glossary : A words : authentication.

authentication
Ensuring that someone seeking to use some computer service is actually who they claim to be, or that the provider of the service is actually who it claims to be. Such schemes work with a shared secret such as a password or a private key. In some schemes, the actual secret need not be exchanged, just proof that other end knows the secret, e.g. by encrypting a random message with the private key. You can do web authentication with basic authentication where the browser brings up a dialog box for user name and password, form-based where the user fills in a form with username and password and perhaps other information, certificate based where the browser presents an X.509 certificate to the server to request access, and digest authorisation where the password is digested before being sent to the server to avoid it being snooped on.

In Java 1.2+ you can use the java.net.Authenticator class. You extend the class overriding the getPasswordAuthentication method like this: 

/**
 * Minimalist custom Authenticator to provide userid/password
 * to Java protocols.
 */
class MyAuthenticator extends Authenticator
   {
   /**
   * Called when password authorization is needed.
   * @return The PasswordAuthentication collected from the
   * user, or null if none is provided.
   */
   protected PasswordAuthentication getPasswordAuthentication()
      {
      return new PasswordAuthentication ( "Alladin", "sesame".toCharArray() );
      }
   }

Then you then register your custom Authenticator with 

Authenticator.setDefault( new MyAuthenticator() );

You then do your GETs ignoring authentication. See the fileio amanuensis for how. The technique reputedly works for HTTP and proxys. It may work for HTTPS. It it may even work for digested passwords. I don't see how it could work for certificate style authentication, however.

If you are using an older Java, you will have to do it the Smith-Barney way (obscure reference to the late John Houseman): 

// code to add to a URLConnection GET request
// to add basic userid/password authentication.

...

String userid = "Alladin";

String password = "sesame";

String stringUserIdPassword = userid + ":" + password;

byte[] byteUserIdPassword = stringUserIdPassword.getBytes( "ASCII" );

String base64UserIdPassword = new Base64().encode( byteUserIdPassword );

urlc.setRequestProperty( "Authorization", "Basic " + base64UserIdPassword );

urlc.connect();

For digest-style authentication, the protocol is more complex. It requires nine subfields. It is described in RFC 2617.

authorisation ¤ How HTTP Basic Authentication Works ¤ login ¤ security

CMP logo
CMP_home
home		 Canadian Mind Products CSS
HTML Checked!
ICRA ratings logo
mindprod.com IP:[24.87.56.253]
Your IP:[80.134.30.163]
You are visitor number 1838.
Please send errors, omissions and suggestions
to improve this page to Roedy Green.
You can get a fresh copy of this page from: or possibly from your local J: drive mirror:
http://mindprod.com/jgloss/authentication.html J:\mindprod\jgloss\authentication.html