Here is a very simple way of providing authentication in your application. Everytime you send a http request to the server, the username and password are sent as part of the HTTP header (in every request). They are encoded using base64, so yes it is NOT a safe way to do things. If you decide to use it, atleast use SSL with it.

  • Users sends a request.
  • Server sends back response code 401 and Http response header WWW-Authenticate = Basic realm=”MyRealm”.
  • Browser receives this (header and response code) and prompts user to enter username and password.
  • Browser sends another GET request but with Http request header Authorization: Basic .
  • Server receives this header, authenticates the user and sends back either a Response code 200 (OK) or 401 (Unauthorized).

If the response is 200 (Ok) browser will cache the username and password so that user doesn’t have to keep reentering it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
 
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
 
public class AuthenticateServlet extends HttpServlet {
 
  private static final long serialVersionUID = 1L;
 
  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 
    if ( request.getHeader("Authorization") != null ) {
      String auth = request.getHeader("Authorization");
      String coded_user_password = auth.split(" ") [1];
      String decoded_user_password = StringUtils.newStringUtf8(Base64.decodeBase64(coded_user_password));
 
      String username = decoded_user_password.split(":")[0];
      String password = decoded_user_password.split(":")[1];
 
      PrintWriter out = response.getWriter();
      out.println("<p>Username: " + username + "</p><p>Password: " + password + "</p>");
 
    } else {
 
      response.setHeader("WWW-Authenticate", "Basic realm=\"MyRealm\"");
      response.setStatus(401);
 
    }
  }
}