JAVA AND BASIC AUTHENTICATION Some Web sites employ Basic Authentication, which prompts users to enter their login information into a small pop-up window. Accessing these sites from a program can be difficult. Fortunately, Java has a structure that helps, available from versions 1.2 onwards. It allows you to plug a username and password into the IO system, and then it automatically logs in to a Basic Authentication-protected Web site when the site is accessed through a URL object. When Java talks to a Web site through a URL object, it automatically checks for a statically available Authenticator object. The class java.net.Authenticator utilizes two important methods: a method to set the version of an Authenticator and another that overrides the username and password. Setting a new version of an Authenticator can be performed only once and is done with the following code: Authenticator.setDefault( new SpecialAuthenticator() ); The subclassed SpecialAuthenticator overrides the method getPasswordAuthentication, which returns a final class of type PasswordAuthentication. A null return implies that a username and password combination is not available. import java.net.Authenticator; import java.net.PasswordAuthentication; public class SpecialAuthenticator extends Authenticator { public PasswordAuthentication getPasswordAuthentication() { char[] passwd = new char[] { 'b', 'o', 'b' }; return new PasswordAuthentication("bob", passwd); } } As shown in the example above, the password is created using a character array and not a String. When the Authenticator has finished with the PasswordAuthentication object, it wipes the character array. This makes it hard for someone with access to the machine memory to snoop the password value. However, in our simple example, the password value appears in the class' bytecode. In addition, there are methods that validate which site is currently being talked to. For example: // the url being accessed protected final InetAddress getRequestingSite() // the prompt sent by the website protected final String getRequestingPrompt() With these components available, it's easy to see how an Authenticator can be created, which checks an encrypted file for Web site addresses, usernames, and passwords. If a Web site address is found in the encrypted file, it returns a PasswordAuthentication object. If one isn't found, it returns null. With this in hand, accessing Web sites that use Basic Authentication should no longer be a problem. ----------------------------------------