11

How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?

Improve this question

3 Answers 3

Reset to default
12

When you send an unauthenticated request the service has to respond with a "HTTP/1.1 401 Unauthorized" and the response contains a WWW-Authenticate header that specifies what authentication scheme is expected (Basic, Digest), the security realm and any other specific value (like Digets's nonce). So if the server responds with:

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="example.com",
                        qop="auth,auth-int",
                        nonce="...",
                        opaque="..."

it wants a Digest authentication. If the response looks like:

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="example.com"

then it wants a Basic authentication. Some (poorly) implemented servers/sites don't handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.

NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value NTLM, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.

Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

the issue was that the REST service was not returning with any WWW-Authenticate header at all in the 401 so I had to manually specify the header
I only need 1 penny for every web site that does that (not handle Basic with correct challenge) and I can retire...
4

You send it a request, presumably get an HTTP 401 code, and look at the WWW-Authenticate header that (per RFC 2616) the response MUST include. If instead you get a 403 or some other weird status, or a missing WWW-Authenticate header, you curse at website authors that don't follow the core HTTP RFC, and start sniffing the traffic to try to reverse engineer what nonstandard mess they've done this time;-).

Improve this answer

2 Comments

I wish I could select two valid answers, the issue was that the REST service was not returning a WWW-Authenticate header so I had to manually add the header with code from: devproj20.blogspot.com/2008/02/…
@Seph, yeah, the number of broken sites around the web is staggering, isn't it? No matter how clear an RFC is (and it doesn't get much clearer than MUST;-) there's always plenty of "programmers" (HA!) who think they're just too special to have to read, or abide by, boring docs...:-(
1

If it's a black box scenario, I usually connect with Fiddler, and inspect the actual traffic.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.