Monday, April 2, 2018

Setting up HTTP Basic Authentication


- Layout for this exercise:

- Web applications may provide their own access control methods, but a web server can also restrict access by using two types of authentications that are part of the HTTP standard: Basic and Digest authentication.

- HTTP Basic Authentication (BA) is the simplest way to enforce access control to web resources. When making a request, the user agent  provides credentials (username and password) to the web server.

- BA uses standard fields in the HTTP header, not providing confidentiality because the credentials are sent just encoded with Base64, but not encrypted or hashed at all. 

- For further information about HTTP Basic Authentication:

- To implement Basic Authentication on an Apache web server, first of all a password file must be created, so that Apache can read it whenever the web page is requested.

- The utility htpasswd (part of the apache2-utils package) manages user files for basic authentication. As an example, let's take:

username: admin (very common as default username in many devices)
password: ababa (simple, for the purpose of ease in this exercise)

- The hidden file .htpasswd has been created and stored encrypted on the server side:

- The default encryption format to store the credentials is "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.

See source file apr_md5.c for the details of the algorithm:

- Editing the Ubuntu default virtual host file (000-default.conf):

- Adding the HTTP BA restriction for the directory called "basicauth", where the web page is contained. The <Directory> block specifies that the type of authentication is Basic, the name of the realm (the realm name defines a protection space for a web resource in combination with the canonical root URL of the server being accessed), the path to the .htpasswd file, and the requirement of "valid-user" credentials:

- In this way, we have established a per-directory basis HTTP BA specific for the directory "basicauth" that we are interested in. 

- After editing the virtual host file, let's restart the web server:

- Configtest command checks that the syntax of the configuration file is correct:

- Reviewing the status of the web server:

- Now, a user is prompted to enter credentials when trying to access the web resources contained in the directory "basicauth".

- In case of introducing bad credentials, the server answers with the default "Unauthorized" message:

- Introducing the correct credentials, the web resources are finally available: