Add Authentication to HTTP Server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add Authentication to HTTP Server

1,328 Views
Kremer
Contributor I
 Hi mates
 
 Has anyone of you already tried to add a simple digest authentication to the http server?
 I´m tryind to do it but seems like the userpass.c file provided by interniche only gives us simple functions that insert user/password combos on a list and check it returning false or true.
 But how to tell to server that, before it serves it´s page, it must send a digest authentication screen requesting user and password, so after the user has informed it on the digest screen, the server could then call the check_permit function provided in userpass.c.
 Any sample code, rule or advice is welcome.
 
 Thank you and best regards
 
Labels (1)
0 Kudos
2 Replies

318 Views
Kremer
Contributor I
Forget about it, NicheLite doesn´t provide a full features http server. It only implement the GET method, not POST, neither cgi and basic or digest authentication. InterNiche HTTP is a complete HTTP 1.1 implementation, and it costs only $6000,00.:smileysurprised:
0 Kudos

318 Views
mjbcswitzerland
Specialist V
Kremer

In the uTasker project we support only basic authentication so you will also be disappointed but I can give a couple of notes about its implementation:
1. The HTTP server must collect the GET infomation (possibly over multiple frames, which makes it a little bit trickier) and sort the "authorization basic" string plus the Base 64 encoded user name and password.
2. Once the '\r' at the end of this information has been received, the content can be decoded using base64 algorithm to get back to plain text (since theoretically anyone can do this base 64 encoded info is not really worth much more that plain text but it will at least work against 'lazy' evesdroppers).
3. If the info doesn't match, the server serves a small page with the following example content:
HTTP/1.0 401\r\nWWW-Authenticate: Basic realm=""MY WEBSERVER""\r\n\r\n
The 401 will cause the browser to offer the password dialog box.
4. Only when the user name and password match should the http server serve the requested page and react to any received commands. The serving part is simple because it either does it or re-serves the 401 side again. Handling commands is a little more complicated since the authentication information arrives usually after the data and so the data has to be buffered until the authentication has been completed (which may not be in the same TCP frame) but this is more an implementation detail.

However I can say that we do dynamic and controllable web server support (not cgi but something similar) allowing flexible control and do support the post method. In the uTasker demo project (free for non-commercial use) it is even possible to securely upload new code to the target using http post, which requires only a 2k byte boot program...
[document here: http://www.utasker.com/docs/uTasker/uTaskerBootLoader.PDF]

Regards

Message Edited by mjbcswitzerland on 2007-02-1010:45 AM

0 Kudos