2

I want to redirect user from one web page on one server to another page on another server. The first application uses Active Directory for authentication. The second application is not using Active Directory for authentication. However, the second application allow to sen the auth header with basic authentication in the HTTP GET request.

I tested sending the Auth header and was successful:

function DoLogin()
{
    var xmlhttp;
    if (window.XMLHttpRequest)
      {// code for IE7+, Firefox, Chrome, Opera, Safari
      xmlhttp=new XMLHttpRequest();
      }
    else
      {// code for IE6, IE5
      xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    xmlhttp.onreadystatechange=function()
      {
      if (xmlhttp.readyState==4 && xmlhttp.status==200)
        {
        if(xmlhttp.status==200)
            window.location = "http://server:port/home";
        else
            document.getElementById("myDiv").innerHTML="Error in Login";
        }
      }
    xmlhttp.open("GET","http://server:part/auth",true);
    xmlhttp.setRequestHeader("Accept","application/rdf+xml");
    xmlhttp.setRequestHeader("Authorization","Basic Z29082FtaWs6TDN0bWVpbkBPZmZp=45^");
    xmlhttp.send();
}

However, in this code I have sent a hardcoded set of credentials. I do not have access to the Username and password that are required to create this hash. I want to know if there is anyway to grab this hash of credentials and pass them on?

Kangkan
  • 15,267
  • 10
  • 70
  • 113
  • possible duplicate of [Pure Javascript code for HTTP Basic Authentication?](http://stackoverflow.com/questions/491914/pure-javascript-code-for-http-basic-authentication) – Sirko Oct 17 '12 at 09:43
  • I am not sure, whether you are aware of web application security, but looks like your username and password is hidden in your question. You may want to take a look at http://en.wikipedia.org/wiki/Basic_access_authentication on how the authorization header is constructed. – Ramesh Oct 17 '12 at 09:44
  • 1
    @Sirko: This is not a duplicate. In the post, that you are pointing to, the assumption is that the username/password pair is known. For me, I do not know it and shall like to forward the same set as being used for the current page. – Kangkan Oct 17 '12 at 09:52
  • @Ramesh: The username and password is not hidden in the question. If you read the paragraph after the code, I said that I am passing it hard-coded at this point. I want to send the hash for the user that is accessing the current page. – Kangkan Oct 17 '12 at 09:53
  • @Kangkan Z29zd2F*************ZmZpY2U is encoded representation of your username password. Any one can easily find this out. At least mask this value. – Ramesh Oct 17 '12 at 09:55

1 Answers1

2

For security reasons I think there is not and there should not be a way to get this credentials of the Active Directory authentication of the first site (site A).

Your options are

  1. Implement Active Directory Authentication on the second server as well
  2. As a workaround, implement some kind of token based authentication that let's the user access the site B after he has identified to site A.

In both cases you need access to site B.

If you do not have access to site B I do not see a solution.

Alex
  • 32,506
  • 16
  • 106
  • 171