http-header : www-authenticate

http-header : www-authenticate

Authentication signifies the process of identifying whether or not a client is eligible so as to access a resource. The HTTP protocol here supports authentication as a way of negotiating access to a secure resource.

It is a HTTP response header that helps in defining the authentication method which must be used so as to gain access to a resource. This header is sent along with a “401 Unauthorized” response status code.

When the servers gets a request for an access-protected object, and let’s say that an acceptable Authorization header has not been provided or sent, the server sends or responds with a status code of “401 Unauthorized” along with a “WWW-Authenticate” header. The initial header does not seem to hold any auth-data if the header is “WWW-Authenticate:negotiate”. But it is said to carry data if the header is “WWW-Authenticate:Nego2”. The response values of www-authenticate might be spread across multiple WWW-Authenticate headers.

WWW-Authenticate header indicates what all authentication scheme(s) and parameters are applicable to the target resource.

A proxy that is forwarding a response should not modify any of the WWW-Authenticate fields in that response.

User should take intensive care while parsing the field value because chances are it might hold a comma-separated list of various authentication parameters. Besides that even the header field itself might come up or occur many times.

For example:

WWW-Authenticate: Newauth realm=”apps”, type=1, title=”Login to \”apps\””, Basic realm=”simple”

The header field described above holds two challenges that is one for “Newauth” scheme with a realm value of “apps”, along with two more parameters such as, “type” and “title”, and the other scheme that is “Basic” holding a realm value which is “simple”. 


Enablement in Apache:

In order to password-protect a directory in Apache server, we would require a “.htaccess” along with a “.htpasswd” file.

The .htaccess file mostly would look like the below:

AuthType Basic

AuthName “Access to the staging site”

AuthUserFile /path/to/.htpasswd

Require valid-user

The “.htaccess” file provides reference to a “.htpasswd” file in which every line carries a username and password being separated by colon. Here we can’t view the genuine passwords as because they are encrypted. Also a point to note is that we can name our “.htpasswd” file differently if we like. But we must keep in mind that this file should not be retrievable to anyone. Apache is mostly configured so as to prevent access to the “.ht*” files.




Enablement in Nginx:

For this server, we would have to specify a particular location that we are going to secure or protect along with the “auth_basic” directive that helps in providing the name to required password-protected area. The directive that is “auth_basic_user_file” now points out to “.htpasswd” file which carries the encrypted credentials of the user. This is similar to the Apache example described above.

location /status {

auth_basic           “Access to the staging site”;

auth_basic_user_file /etc/apache2/.htpasswd;



Copyrights ©2008: Valency Networks Pvt Ltd.