javascript 是否可以将摘要式身份验证与 XMLHTTPRequest 一起使用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7159551/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is it possible to use Digest-Authentication with a XMLHTTPRequest?
提问by user880625
I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?
我有一个简单的问题:是否可以将摘要式身份验证与 XMLHTTPRequest 一起使用?
If the answer is no, what's the technical reason? Or if it is possible - how can I do that?
如果答案是否定的,那么技术原因是什么?或者如果可能的话 - 我该怎么做?
Thanks a lot … google has no good answer so far :-/
非常感谢……到目前为止,谷歌还没有好的答案:-/
EDIT:
编辑:
Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.
感谢您的回答。在收到随机数后,修改标头以匹配摘要身份验证方案似乎是一种解决方案。
But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");
但我真正想要的是我可以改变我当前的调用: xmlhttp.open("GET", url, false, username, password); 对…… 就像那个 xmlhttp.open("GET", url, false, username, password, "DIGEST");
That's also part of my initial question: Why does the open-method not offer the option to make a digest-request?
这也是我最初的问题的一部分:为什么开放方法不提供提出摘要请求的选项?
Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.
也许有 js-lib 可以推荐让我这样做 - 正如您想象的那样,我真的不想将一个和简单的 xmlhttp.open 更改为多个请求并首先获得一个随机数。
回答by James
You can do it no problem. Just follow the parts of the specs you feel like ;)
http://tools.ietf.org/html/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.
你可以做到没有问题。只需遵循您喜欢的规范部分;)
http://tools.ietf.org/html/rfc2617
是您开始编写身份验证库所缺少的一切
http://pajhome.org.uk/crypt/md5 /
在客户端。
pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.
预交换用户名和密码
嘿,我想验证 ----> 服务器
好的,这里是随机数/盐 ----> 客户端
这里是我的用户名密码时间戳和盐的 md5 哈希总和 ----- > 服务器
我刚刚按照您的方式设置了您的密码和用户名,它们是相同的 -----> 客户端
这些是它的基础知识。
I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.
我遗漏了您需要在哈希和中包含请求资源的 URI!!!!
当然,您对向服务器发出的每个资源请求都执行此操作,这样某个拦截哈希的人只能查看您请求的内容,而无法请求其他资源。这种方法不能保护数据的安全,只是访问到它。
回答by Marcin Michalski
Have a look at this article : http://marcin-michalski.pl/2012/11/01/javascript-digest-authentication-restful-webservice-spring-security-javascript-ajax/. It explains how to do JavaScript client for Digest Authentication with SpringSecurity in the server side. The code is available in github : https://github.com/Arrowgroup/JSDigestAuth
看看这篇文章:http: //marcin-michalski.pl/2012/11/01/javascript-digest-authentication-restful-webservice-spring-security-javascript-ajax/。它解释了如何在服务器端使用 SpringSecurity 为 Digest Authentication 做 JavaScript 客户端。代码在 github 中可用:https: //github.com/Arrowgroup/JSDigestAuth
回答by malber
I have coded a full workflow for this, it's not difficult at all once you are using an external library for MD5 (I use Crypto-js).
我为此编写了完整的工作流程,一旦您使用 MD5 的外部库(我使用 Crypto-js),这并不困难。
The greatest issue you might have is that on the first server 401 reply any of the most used browsers will open a dialog box for getting your credentials. As far as I have seen there is not easy way to circumvent this: How can I supress the browser's authentication dialog?
您可能遇到的最大问题是,在第一台服务器上 401 回复任何最常用的浏览器将打开一个对话框以获取您的凭据。据我所知,没有简单的方法可以绕过这个:如何抑制浏览器的身份验证对话框?
To solve it, I modified the webserver which I coded from a C# codeplex project. On the first request the client passes a "Warning" header saying "Do not raise a 401". The server creates the challenge and sends it back with a custom, non-401 HttpException (I use 406 for the moment, which is "not acceptable" in HTTP). The client creates the hash and sends it back.
为了解决这个问题,我修改了我从 C# codeplex 项目编码的网络服务器。在第一个请求中,客户端传递一个“警告”标头,说“不要引发 401”。服务器创建挑战并使用自定义的非 401 HttpException 将其发送回(我目前使用 406,这在 HTTP 中是“不可接受的”)。客户端创建散列并将其发回。
I can post some code snippets if anyone's interested, this is kind of an old question.
如果有人感兴趣,我可以发布一些代码片段,这是一个老问题。
回答by Victor Wagner
You really shouldn't care which authentication method site uses, as long as your browser support it.
您真的不应该关心站点使用哪种身份验证方法,只要您的浏览器支持它。
If you specify username and password to open method and dont't mess with Authorization header, XMLHttpRequest.send() would first try to send request without authentication, receive 401 response with WWW-Authenticate header, and retry request, providing name and password according to authorization method requested by site.
如果你指定用户名和密码来打开方法并且不要弄乱 Authorization 头,XMLHttpRequest.send() 将首先尝试发送未经认证的请求,接收带有 WWW-Authenticate 头的 401 响应,然后重试请求,根据提供名称和密码到站点请求的授权方法。
(Although there can be some extra event handlers fired during this two-stage process).
(尽管在此两阶段过程中可能会触发一些额外的事件处理程序)。
回答by Vangelis
To avoid the default browser authentication dialog you just set the WWW-Authenticate as Digest/YourString (ex. your realm). It is all in the first response, not so tragically.. My custom code it was working perfectly until yesterday and now I'm trying to debug something strange that is happened suddenly, still trying to understand..
为了避免默认的浏览器身份验证对话框,您只需将 WWW-Authenticate 设置为 Digest/YourString(例如您的领域)。这一切都在第一个响应中,不是那么悲惨..我的自定义代码直到昨天才完美运行,现在我正在尝试调试突然发生的奇怪的事情,仍然试图理解..
回答by Chielus
The best way to do this is by using SSL. I don't think any other safe solution exists (correct me if i'm wrong)
最好的方法是使用 SSL。我认为不存在任何其他安全解决方案(如果我错了,请纠正我)
