Tuesday, January 29, 2008
Sending "Authorization" header with initial HTTP request
If OAM protects a web resource with a basic authentication scheme, any browser request for that request returns a 401 with a "WWW-Authenticate: basic" header. This prompts the browsers to pop-up the username/password dialog box. When the user types in the username and password, these credentials are sent, base64 encoded, in the next request as part of the "Authorization: basic" header.
If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:
Cookie: OBBasicAuth=fromDialog
To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):
Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.
If one does not want the browser to pop-up the dialog, or one is using a script/client application to access that resource, the "Authorization" header should be sent with the initial HTTP request. But the correct Authorization header by itself will not submit user credentials to Webgate. It seems the script/client application will also have to send a cookie in the request to make Webgate process the Authorization header. The cookie name and value are always the same:
Cookie: OBBasicAuth=fromDialog
To summarize, with all the other required HTTP headers and data, the application should send the following (for username/password as guest/password1234):
Cookie: OBBasicAuth=fromDialog
Authorization: Basic Z3Vlc3Q6cGFzc3dvcmQxMjM0
Edit: Please note that the Authorization header has the base64 encoded version of string username:password (in this case guest:password1234 which is 'Z3Vlc3Q6cGFzc3dvcmQxMjM0') and not username/password as the article mentions above. Thanks for pointing that out Filipe.
Labels: Webgate Authorization Header, Webgate Basic Authentication