Http basic authentication header: Learn with Java code sample

HTTP basic authentication with headers is one of the username & password based methods of securing access to web sites, web applications and web services. Purpose of this article is to analyze the details of this approach by explaining how to encode a pair of username & password as a basic authentication header string as well as to decode the authentication string generated from the web clients like browser or soapIU; and the example is implemented with Java.

Isn't username and password send to server?

When username and password is entered into the pop-up in Web browser (or by similar manner in other web clients) those are not send to server as they are, but send after encoding in a way that the receiving server side can decode and extract the username and password to check the validity. This encoding approach is not secure as the encryption approaches like AES.

Sample request with basic authentication header for username="Aladdin" and password="open sesame" looks as below.

GET /myweb/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Web clients create a string by concatenating the username and password with a colon (":") as username:password. Then it is encoded in base 64 and is sent to the server, so that the server can do the reverse to extract username and password.

Example Program

Code example imports a class named Imported class named org.apache.commons.codec.binary.Base64 from commons-codec-1.6 available at http://commons.apache.org/codec/download_codec.cgi. Please download it yourself and add the commons-codec-1.6.jar file to the CLASSPATH.

package org.kamal.http.basicauth;

import org.apache.commons.codec.binary.Base64;

public class HttpBasicAuthenticationHeader {

 public static void main(String[] args) {
  
  final String username = "Aladdin";
  final String password = "open sesame";
  
  System.out.println("Input\t: username [" + username + "], password [" + password + "]");
  
  final String encodedText = createEncodedText(username, password);
  System.out.println("Encoded Text : " + encodedText);
  
  final String[] userDetails = decode(encodedText);
  System.out.println("Decoded\t: username [" + userDetails[0] + "], password [" +  userDetails[1] + "]");
  
 }

 private static String[] decode(final String encodedString) {
  final byte[] decodedBytes = Base64.decodeBase64(encodedString.getBytes());
  final String pair = new String(decodedBytes);
  final String[] userDetails = pair.split(":", 2);
  return userDetails;
 }

 private static String createEncodedText(final String username, final String password) {
  final String pair = username + ":" + password;
  final byte[] encodedBytes = Base64.encodeBase64(pair.getBytes());
  return new String(encodedBytes);
 }

Output of the program:

Input : username [Aladdin], password [open sesame]
Encoded Text : QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Decoded : username [Aladdin], password [open sesame]

As you can see the above program can encode and decode as expected.

Constraints

As per the related RFC (http://www.ietf.org/rfc/rfc2617.txt); username can not contain any colons, but password has no such restrictions. So it is easy to select the username by splitting the string till the first colon is reached.

Risk involved

This encoded string is passed to the server in plain text. Even though the username and password are hidden in a way; as you may have already guessed, it is not safe at all to use http basic authentication as decoding is straightforward and quite simple. So when ever this approach is used, it is advised to use a secure channel like HTTPS rather than HTTP.