Authentication Schemes

AppPerfect products support various authentication mechanisms. In case your application requires authentication you need to configure same in AppPerfect while recording/replaying test. Please find below details of each authentication scheme supported.

Basic Authentication:

Basic authentication is a simple and not very secure authentication scheme which is defined in RFC 2317. The username and password are encoded in base 64 and are therefore easily obtainable by anyone who has access to the packet data. The security of basic authentication can be improved when used with HTTPS, thus encrypting the request and response.

Digest Authentication:

Digest is a relatively secure scheme based on cryptographic hashes of the username and password, using the MD5 hash algorithm. Digest also provides the ability for the server to prove to the client that it also knows the shared secret (password).

NTLM Authentication:

NTLM is a scheme defined by Microsoft. It is more secure scheme than Basic, but less secure than Digest. NTLM can be used with proxies or servers, but not with both at the same time. If a proxy is being used, then it cannot be used for server authentication. This is because the protocol actually authenticates the TCP connection rather than the individual HTTP interactions. On Microsoft Windows platforms, NTLM authentication attempts to acquire the user credentials from the system without prompting the user's authenticator object. If these credentials are not accepted by the server then the user's authenticator will be called.
Because the Authenticator class was defined prior to NTLM being supported, it was not possible to add support in the API for the NTLM domain field. There are three options for specifying the domain:
a) Do not specify it. In some environments, the domain is not actually required and the application need not specify it. b) The domain name can be encoded within the username by prefixing the domain name followed by a back-slash '\' before the username. With this method, existing applications that use the Authenticator class do not need to be modified, so long as users are made aware that this notation must be used. c) Define system property "http.auth.ntlm.domain", the value of this property will be used as the domain name.

Two way SSL Authentication :

The SSL protocol, developed by Netscape in 1994, allows clients and HTTP servers to communicate over a secure connection. It offers encryption, source authentication, and data integrity as means to protect information exchanged over insecure, public networks. The current version of SSL used most commonly is 3.0. In HTTPS communication servers presents client a SSL certificate which is basically a set of credentials to identify itself when client tries to communicate with the server first time.

Two way SSL Authentication is most secure form of authentication mechanism. In this authentication mechanism both client and server authenticates each other. Each client presents its own SSL certificate when it starts communication with server, server then authenticates that certificate to identify the client. This authentication mechanism can be used along with username, password authetication to identify the client.