How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
When you send an unauthenticated request the service has to respond with a “HTTP/1.1 401 Unauthorized” and the response contains a
WWW-Authenticateheader that specifies what authentication scheme is expected (Basic,Digest), the security realm and any other specific value (like Digets’s nonce). So if the server responds with:it wants a Digest authentication. If the response looks like:
then it wants a Basic authentication. Some (poorly) implemented servers/sites don’t handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.
NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value
NTLM, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.