My name is Philipp C. Heckel and I write about nerdy things.
This site moved here recently from blog.philippheckel.com!

Snippet 0x08: HTTP Basic Auth for secure WebSocket connections (with Undertow)


Code Snippets, Programming

Snippet 0x08: HTTP Basic Auth for secure WebSocket connections (with Undertow)


For my open source file sync software Syncany, I use the embedded web server and web socket server Undertow to provide a websocket and REST based interface by the Syncany daemon. Syncany clients (such as the GUI, or potentially a web interface) connect to this daemon, send requests and receive asynchronous events. Syncany’s GUI client also uses the Undertow websocket client to connect to the above mentioned daemon.

To authenticate the websocket client with the daemon, the simple HTTP basic authentication mechanism over HTTPS is used. This tiny post shows you how to authenticate against a websocket server with HTTP basic auth using the Undertow websocket client.

1. HTTP basic for normal web pages

The HTTP basic authentication is widely used across the Internet for normal HTTP(S) web pages, but rarely used to authenticate websocket clients — at least not to my knowledge. A reason for this could be that some browsers still struggle with handing over the HTTP basic “Authorization” header to the actual HTTP-based websocket handshake. Firefox supports this, Chrome does not — I don’t know about IE. For Syncany, we have decided to use HTTP basic authentication anyway, because it is very simple to implement and is equally secure as other methods if HTTPS is enforced.

2. HTTP basic for websockets

The entire “magic” behind HTTP basic is to ensure that all HTTP requests contain a HTTP header called Authorization. This header contains the authorization method (in this case Basic) and the user name and password of the logged in user in the format base64(username:password).

For normal HTTP requests, this looks like this:

For websocket communication, there is only one HTTP request: The handshake that leads to the protocol upgrade. And that is precisely where we have to add this header. Assuming that our websocket server listens on 127.0.0.1 with the endpoint at /api/ws

The websocket server will use the base64 encoded username and password to authenticate the use and only send a valid successful response (HTTP/1.1 101 Switching Protocols) if it succeeds. If not, it will send an error message (HTTP/1.1 401 Unauthorized).

3. Add “Authorization” header to the websocket handshake

To achieve this using the Undertow websocket client (WebSocketClient and WebSocketChannel), all we have to do is to manually pass the above mentioned Authorization header in the HTTP-based handshake.This can be done by passing a WebSocketClientNegotiation object with a WebSocketExtension to the call of WebSocketClient.connect(). The full code is available in the Syncany GUI plugin:

The code actually looks more complicated than it is, because the XNIO worker is configured to support SSL/TLS.

A. About this post

I’m trying a new section for my blog. I call it Code Snippets. It’ll be very short, code-focused posts of things I recently discovered or find fascinating or helpful. I hope this helps

Leave a comment

I'd very much like to hear what you think of this post. Feel free to leave a comment. I usually respond within a day or two, sometimes even faster. I will not share or publish your e-mail address anywhere.