Basic HTTP Auth Mock
To enforce Basic HTTP Auth, use response with HTTP 401 when the request has no `Authorization` header.
For simplicity, MockMotor doesn’t require any authentication for incoming calls. However, sometimes the authentication exchange is the part that we need to test.
No problem, let’s simulate the Basic HTTP Auth logic.
What is Basic HTTP Auth
Basic HTTP Auth is one of the simplest ways to authenticate a web request. It sends a username and a password encoded (but not encrypted!) with each request.
Because the password can be read from the request, it is not secure when used over a plain HTTP connection.
A classic, two-request Basic HTTP Auth exchange goes like this:
1 A client calls a server with a web request.
POST http://127.0.0.1:7080/SelfTest/ForwardAuth HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Content-Length: 44 Host: 127.0.0.1:7080 <HelloKitty> <Data>123</Data> </HelloKitty>
2 The server notices that the request is not authenticated:
Authorization HTTP header is missing.
3 The server responds with status
HTTP 401 and a header
HTTP/1.1 401 Unauthenticated WWW-Authenticate: Basic realm="accounting" ...
4 The client combines the username and the password into one string separating them with a colon, e.g.
accounting:passw0rd, and encodes it as Base64, e.g.
5 The request is repeated with the same payload and a new HTTP header
Authorization: Basic YWNjb3VudGluZzpwYXNzdzByZA==
POST http://127.0.0.1:7080/SelfTest/ForwardAuth HTTP/1.1 Authorization: Basic YWNjb3VudGluZzpwYXNzdzByZA== Content-Type: text/xml;charset=UTF-8 Content-Length: 44 Host: 127.0.0.1:7080 <HelloKitty> <Data>123</Data> </HelloKitty>
6 The server reads
Authorization HTTP header from the request, extracts the username and the password from it and permits (or denies) the access.
HTTP/1.1 200 OK Date: Mon, 25 Dec 2017 00:17:25 GMT Content-Type: text/xml; charset=UTF-8 Content-Length: 750 <HelloKittyResponse> ...
As you can notice, each transaction authenticated with Basic HTTP requires two HTTP requests. That takes extra network roundtrip time, increases the network saturation and consumes more resources on the client and the server. To remedy this problem, the client can pre-authenticate the request.
With a pre-authenticated request, the client sends the
Authorization header with its first request and not waiting for
HTTP 401 response. In other words, it starts right from step 4.
In fact, if the client doesn't pre-authenticate, you should point it out as a performance issue and fix it.
How to Mock Basic HTTP Auth
If you need to reproduce the server Basic HTTP Auth behaviour, create a response that matches only if
Authorization header is NOT present. This response must be the first on the list.
In that response, reply with
Authorization header is found, MockMotor continues searching down the list, i.e. any response under the
Reject ... is guaranteed to be authenticated.
Here is the full configuration of
Reject unauthenticated requests response (unrelated sections are hidden):
1 The request matches only if the
Authorization header is missing.
2 The response payload is a plain text string advising to authenticate.
3 HTTP Status is 401.
4 HTTP header
WWW-Authenticate with value
Basic added to the response.
Of course, the performed match is not too strict. We only check for the header presence, while we could also check for the specific type of Authorization (
and even for the correctness of username and password values. However, this basic level of simulation is usually enough for testing. Feel free to improve the checks if it is required.
Check out Basic HTTP Auth on the demo site.