Basic Authentication
Basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request.
Last updated
Was this helpful?
Basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request.
Last updated
Was this helpful?
CBSecurity supports the concept of HTTP basic authentication in your ColdBox applications. Please note that this is a quick and easy way to provide security, but not the safest by any means. You have been warned!
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a username and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :.
HTTP Basic authentication (BA) implementation is the most straightforward technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; instead, HTTP Basic authentication uses standard fields in the HTTP header.
The first step is configuring your application to use basic authentication as the validator of choice. We will configure two things:
Validator: BasicAuthValidator@cbsecurity
Basic auth settings: Where you configure users, passwords, roles, permissions, and encryption
CBSecurity allows you to use basic authentication with ANY authentication service.
This is the most basic configuration where we register a single user and tell the firewall to use the basic auth validator. Since the default authentication service is cbauth I don't have to register it. Finally, since CBSecurity detects the BasicAuthValidatorand no registered user class, it will register the BasicAuthUserService as well for you.
You can explicitly set the UserServiceClass to be BasicAuthUserService@cbsecurity if you wanted to.
All I have to do now is create security rules or annotations, and CBSecurity will leverage the browser's Basic Authentication Prompt when those resources are trying to be accessed. Once you put in your credentials, it will verify them against the registered users in the basicAuth configuration dictionary.
Since Basic Authentication ONLY focuses on login, logout is left out of the equation. In CBSecurity, we have created a special event so you can securely log out users from basic authentication, which you can hit with ANY HTTP verb.
This will call the logout method of the authentication service and set the following HTTP headers for you so your session can be rotated:
Ultimately, you can close your browser too.
ColdBox also supports the concept of basic authentication retrieval since the early version 2 days. ColdBox can detect, parse and give you a struct of username and password by leveraging the request context's getHTTPBasicCredentials() method.
