I would like that when i connect to my webserver i have
To enter a password before i can see the server.
Are There any examples on how to do that?
I think the easiest way might be to have your client send in a cookie that contains the username/password info and to have your web server refuse to respond unless the cookie clears verification ("session-based" auth). Principal-based authentication is not defined in the HTTP protocol (as far as I know), and usually such authentication is done through web pages. So short of using HTTP headers and cookies you will most likely have to extend the protocol to support these semantics yourself.
Just my 2 cents' worth of course.
You could do something cheap like using the password text as the page to redirect to... eg collect the password, append ".html" to it and try to redirect to it... eg user enters "fred", which is correct so you have a fred.html and your authentication page redirects to fred.html - otherwise the user will redirect to an unknown page and get a 404... depending on your requirements this might be enough... YMMV..
That's prolly only 1c worth.. 
Cheers,
A question to those who know more than I do...
Not "rigorous", but suppose I had a little web server, and wanted only me to be able to make it do it's thing.
Suppose the webserver's URL was "MyWS.com"
It would be easy (well, relatively!) to program it to respond only to, say...
What avenues would be available to Bad Guys who wanted to find out how to get the web server to do whatever it is programmed to do when accessed with the extra bit?
"Bad Guys" typically exploit known bugs in particular server software (eg ISS) to get in. Because you're building a custom server it's going to be harder off the bat for them to exploit known bugs because they'll be working blind. You'd need to make sure your code handles buffer overruns (ie really parameters etc) as they are a nice avenue to exploit.
Also a lot of the "Bad Guys" are just script-kiddies following how-to's - and if the results deviate from what they expect they'll move on to an easier target.
Cheers,
"Bad guys" might also do a man in the middle attack and intercept the unencrypted password string 
It's true. Bad guys can do many things. Arudino is too poor to handle asymmetric crypto, but some sort of response-challenge algorithm could fit 
but some sort of response-challenge algorithm could fit
Definitely
One of the best ways to generally keep the bad guys away is to not publically post links to your server. If your server handles something sensitive, you probably need to go with a pc server with built in security features. What level of security do you need?
It's not difficult to implement "Basic Access Authentication".
From wikipedia:
Client request (no authentication):
GET /private/index.html HTTP/1.1
Host: localhost
(followed by a new line, in the form of a carriage return followed by a line feed).
Server response:
HTTP/1.1 401 Authorization Required
Server: HTTPd/1.0
Date: Sat, 27 Nov 2004 10:18:15 GMT
WWW-Authenticate: Basic realm="Secure Area"
Content-Type: text/html
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
<HEAD>
<TITLE>Error</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
</HEAD>
<BODY><H1>401 Unauthorized.</H1></BODY>
</HTML>
Client request (user name "Aladdin", password "open sesame"):
GET /private/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
You will need the GitHub - adamvr/arduino-base64: A base64 library for the arduino platform, written in C library and to hack http://arduino.cc/en/Tutorial/WebServer to answer HTTP response 401, and wait for authentication data.
Yes, it's not secure(base64 is easily encoded, decoded). A more secure way to do this is using "Digest Access Authentication" and you'll need a MD5 hash library. Need more hacks also but could be done on arduino.
Sure, but it will not protect you against man in the middle attack. Simple form will do the same thing
I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.
I still have no idea how to implement the basic authenticiation in a sketch.
I'll try to implement this next week. I keep you informed!
cool
tubos:
I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.I still have no idea how to implement the basic authenticiation in a sketch.
Did you check my example?
I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.
Running your arduino on a non standard port behind a router and not releasing public links to the arduino URL may be all you need.
@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.
@zoomkat yes , I m already doing that port 'trick' but I was looking for some extra security
which I could use for other projects as well.
tubos:
@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.
That's correct it's for enc28j60, but the parsing functions that you are looking for worked on application layer - which is chip independent.
Im also in need of this. Looking for the simplest way of doing this aswell. For what is worth I'll try using the TextFinder Library and the HTML password field. I'll see how it goes...
I'll be checking the forum aswell xD