HTTP Security Challenge Messages Example


1. A request is made to a restricted access, in this case from a web browser:

GET /thredds/dodsC/restrict/testData.nc.html HTTP/1.1
   Host: motherlode.ucar.edu:9080
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive

The response is a redirection to a special URL, given in the Location header. Notice that a session Cookie is also sent.

HTTP/1.x 302 Moved Temporarily
   Server: Apache-Coyote/1.1
   Last-Modified: Tue, 30 Jan 2007 17:29:35 GMT
   Set-Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33; Path=/thredds
   Location: http://motherlode.ucar.edu:9080/thredds/restrictedAccess/tiggeData
   Content-Length: 0
   Date: Wed, 04 Apr 2007 00:27:14 GMT

2. The client follows the redirect:

GET /thredds/restrictedAccess/tiggeData HTTP/1.1
   Host: motherlode.ucar.edu:9080
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33

Because SSL is on, a second redirect happens to an HTTPS URL. This is part of the Tomcat managed authentication.

HTTP/1.x 302 Moved Temporarily
   Server: Apache-Coyote/1.1
   Pragma: No-cache
   Cache-Control: no-cache
   Expires: Wed, 31 Dec 1969 17:00:00 MST
   Location: https://motherlode.ucar.edu:9443/thredds/restrictedAccess/tiggeData
   Content-Length: 0
   Date: Wed, 04 Apr 2007 00:27:14 GMT

3. The client again follows the redirect:

GET /thredds/restrictedAccess/tiggeData HTTP/1.1
   Host: motherlode.ucar.edu:9443
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33; 

The reponse is the HTTP Security challenge. The WWW-Authenticate header indicates its using BASIC authentication for the Realm THREDDS Data Server. BASIC is safe because we are using SSL.

HTTP/1.x 401 Unauthorized
   Server: Apache-Coyote/1.1
   Pragma: No-cache
   Cache-Control: no-cache
   Expires: Wed, 31 Dec 1969 17:00:00 MST
   WWW-Authenticate: Basic realm="THREDDS Data Server"
   Content-Type: text/html;charset=utf-8
   Content-Length: 954
   Date: Wed, 04 Apr 2007 00:27:19 GMT

4. At this point, the client must know how to obtain the proper username/password, and base64 encode it into the Authorization header, and repeat the request:

GET /thredds/restrictedAccess/tiggeData HTTP/1.1
   Host: motherlode.ucar.edu:9443
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33
   Authorization: Basic dGlnZ2VEYXRhOnRpZ2dl

If the server authenticates the user, and the user is authorized to access the resource, then it is redirected back to the original URL:

HTTP/1.x 302 Moved Temporarily
   Server: Apache-Coyote/1.1
   Pragma: No-cache
   Cache-Control: no-cache
   Expires: Wed, 31 Dec 1969 17:00:00 MST
   Location: http://motherlode.ucar.edu:9080/thredds/dodsC/restrict/testData.nc.html
   Content-Length: 0
   Date: Wed, 04 Apr 2007 00:27:52 GMT

If the client sends back an incorrect password, the server responds a 401 Unauthorized:

HTTP/1.x 401 Unauthorized
   Server: Apache-Coyote/1.1
   Pragma: No-cache
   Cache-Control: no-cache
   Expires: Wed, 31 Dec 1969 17:00:00 MST
   WWW-Authenticate: Basic realm="THREDDS Data Server"
   Content-Type: text/html;charset=utf-8
   Content-Length: 954
   Date: Wed, 04 Apr 2007 00:27:32 GMT


5. The client follows the redirect, and we're back where we started from (compare 1), except that the server now has created a session for this user, pointed to by the Session Cookie (which the client has been sending all along)

GET /thredds/dodsC/restrict/testData.nc.html HTTP/1.1
   Host: motherlode.ucar.edu:9080
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33

Now at last the server sends back the restricted resource:

HTTP/1.x 200 OK
   Server: Apache-Coyote/1.1
   Last-Modified: Tue, 30 Jan 2007 17:29:35 GMT
   XDODS-Server: opendap/3.7
   Content-Description: dods_form
   Content-Type: text/html
   Transfer-Encoding: chunked
   Date: Wed, 04 Apr 2007 00:27:52 GMT

6. On subsequent requests, as long as the client sends back a valid session Cookie, the request is honored without further challenge:

GET /thredds/dodsC/restrict/testData.nc.ascii?reftime[0:1:0] HTTP/1.1
   Host: motherlode.ucar.edu:9080
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
   Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 300
   Connection: keep-alive
   Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33
HTTP/1.x 200 OK
   Server: Apache-Coyote/1.1
   XDODS-Server: opendap/3.7
   Content-Description: dods_ascii
   Content-Type: text/plain
   Transfer-Encoding: chunked
   Date: Wed, 04 Apr 2007 00:56:23 GMT  

THREDDS This document is maintained by Unidata and was last updated April 3, 2007. Send comments to THREDDS support.