Many web-sites contain sensitive information and require only authorized users to have access to it. Authentication and authorization mechanisms aim at organizing the access control. Access is usually controlled by insisting on an authentication procedure allowing to establish the identity of the user and, then, grant those privileges as may be authorized to that identity. User name and password are usually used as identification credentials. In the case if specified user name/password pair is valid the person is considered as an authenticated user and, then, the site logic determines resources the user can access.

This article describes authentication mechanisms that you can use along with Image Uploader. The both versions of the uploader (ActiveX and Java) support them; however, they do that in different ways.

In addition, the both versions of the uploader support HTTPS connections.

Main difference between two versions of Image Uploader from authentication point of view is that Image Uploader Java is not integrated with browsers. Although, the Java applet can get additional data and cookie values through HTML and client JavaScript, then it opens connection sockets "manually", and sends files and other data independently from a browser. Hence, it cannot use most of browser security settings as well as authentication mechanism used on a page that hosts Image Uploader Java. Contrarily, the ActiveX version uses Internet Explorer HTTP communication layer to upload files and it has no custom implementation of the upload mechanism. The transfer is performed in the same way as it is done by Internet Explorer. As a result, Image Uploader ActiveX uses same HTTP settings as a web page hosting the control.

Due to this difference you need to perform some additional steps to implement authentication in the Java version. For example, you need to explicitly specify an authentication type used on your site (basic or NTLM) or call the special method to preserve HTTP-only cookies during the upload. See paragraphs below for the detailed information on how this difference affects certain authentication types.

Basic Authentication

Basic authentication is widely used on the Internet because it is supported by most browsers and is easy to implement. Nevertheless, this mechanism has serious security vulnerability; it sends the user name and password over the network as a plain text. This authentication scheme does not require any server-side scripting support; all you need is to set up your web server to protect pages with basic authentication. For instructions, refer to your web server documentation.

If your site is secured using basic authentication and the user is already logged in, the ActiveX version will allow uploading files without asking a user name and a password. The Java version will pop up a login dialog, prompting the user to provide their credentials.

Basic Authentication Dialog

In the case when your site is protected with basic authentication you should set the AuthenticationType property to the Basic value. If you want to customize this dialog use the AuthenticationRequestBasicText property.

JavaScript

<script language="javascript" src='../iuembed.js'>  </script>
<script language="javascript">
var iu = new ImageUploaderWriter("ImageUploader", 710, 500);

//...Any other params...

if (iu.getControlType() == "Java")
    iu.addParam("AuthenticationType", "Basic");

iu.writeHtml();
</script>

Integrated Windows Authentication (NTLM)

Integrated Windows Authentication (also known as Windows NT Challenge/Response or NTLM authentication) directly uses Windows NT user accounts. Unlike basic authentication, it hashes the user name and password before transmitting them across the network. This authentication scheme does not require any server-side scripting support, too. For instructions on configuring your web server, refer to its documentation.

When using this method, both versions of Image Uploader will behave as in the previous case. Again, the Java version will open a login dialog which can be customized using the AuthenticationRequestNtlmText property.

NTLM Authentication Dialog

By analogy with the previous type, you should specify Ntlm value to the AuthenticationType property.

JavaScript

<script language="javascript" src='../iuembed.js'>  </script>
<script language="javascript">
var iu = new ImageUploaderWriter("ImageUploader", 710, 500);

//...Any other params...

if (iu.getControlType() == "Java")
    iu.addParam("AuthenticationType", "Ntlm");

iu.writeHtml();
</script>

Custom Cookie-Based Authentication

This scheme requires additional support in server-side scripts. What exactly you will have to do depends on your web server, scripting language, and frameworks you use. But in general you will need to:

  • Provide some storage for user credentials.
  • Create a login form to check user names and passwords and set cookies.
  • Add checks, whether the user is identified, to your server scripts.

Image Uploader ActiveX extracts both traditional and HTTP-only cookies automatically and sends them along with images. Java version can automatically extract traditional cookies only. It does not support HTTP-only cookies, so you should perform some additional steps to preserve them during the upload process. See the Preserving Sessions and Authentication Tickets Passed in Cookies topic for more details.

URL-Based Authentication

In general, this mechanism is similar to the previous one, but in this case all the information required for user identification is passed through the URL, not via cookies. In other words, you need to specify a special URL in the Action property, like upload.aspx?id=ldmvqinmsodjuhfqajmduj, to send the user identity. Then the upload.aspx server-side script will analyze the id request variable and apply corresponding permissions level.

This authentication scheme does not cause any difference in usage of ActiveX and Java versions.