`
hideto
  • 浏览: 2682817 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

HTTP Basic/Digest Authentication、OAuth

阅读更多
HTTP Authentication

      auth-scheme    = token
      auth-param     = token "=" ( token | quoted-string )
      challenge      = auth-scheme 1*SP 1#auth-param

The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource
D:\projects\maui>curl -I http://ar-code.svn.engineyard.com/
HTTP/1.1 401 Authorization Required
Date: Fri, 09 Jan 2009 04:15:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="Engine Yard SVN Cluster: ar-code"
Content-Type: text/html; charset=iso-8859-1

The authentication parameter realm is defined for all authentication schemes:
      realm       = "realm" "=" realm-value
      realm-value = quoted-string


A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request
   credentials = auth-scheme #auth-param


Basic Access Authentication Scheme
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server
      challenge   = "Basic" realm
      credentials = "Basic" basic-credentials

      WWW-Authenticate: Basic realm="WallyWorld"

To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials
      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 encoding of user-pass, except not limited to 76 char/line>
      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

      Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==


Digest Access Auhtenticaton Scheme
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:
      challenge        =  "Digest" digest-challenge

      digest-challenge  = 1#( realm | [ domain ] | nonce |
                          [ opaque ] |[ stale ] | [ algorithm ] |
                          [ qop-options ] | [auth-param] )


      domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
      URI               = absoluteURI | abs_path
      nonce             = "nonce" "=" nonce-value
      nonce-value       = quoted-string
      opaque            = "opaque" "=" quoted-string
      stale             = "stale" "=" ( "true" | "false" )
      algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
                           token )
      qop-options       = "qop" "=" <"> 1#qop-value <">
      qop-value         = "auth" | "auth-int" | token

The Authorization Request Header:
       credentials      = "Digest" digest-response
       digest-response  = 1#( username | realm | nonce | digest-uri
                       | response | [ algorithm ] | [cnonce] |
                       [opaque] | [message-qop] |
                           [nonce-count]  | [auth-param] )

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1
       message-qop      = "qop" "=" qop-value
       cnonce           = "cnonce" "=" cnonce-value
       cnonce-value     = nonce-value
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       response         = "response" "=" request-digest
       request-digest = <"> 32LHEX <">
       LHEX             =  "0" | "1" | "2" | "3" |
                           "4" | "5" | "6" | "7" |
                           "8" | "9" | "a" | "b" |
                           "c" | "d" | "e" | "f"

The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response
        AuthenticationInfo = "Authentication-Info" ":" auth-info
        auth-info          = 1#(nextnonce | [ message-qop ]
                               | [ response-auth ] | [ cnonce ]
                               | [nonce-count] )
        nextnonce          = "nextnonce" "=" nonce-value
        response-auth      = "rspauth" "=" response-digest
        response-digest    = <"> *LHEX <">

Example:
         HTTP/1.1 401 Unauthorized
         WWW-Authenticate: Digest
                 realm="testrealm@host.com",
                 qop="auth,auth-int",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"

         Authorization: Digest username="Mufasa",
                 realm="testrealm@host.com",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 uri="/dir/index.html",
                 qop=auth,
                 nc=00000001,
                 cnonce="0a4f113b",
                 response="6629fae49393a05397450978507c4ef1",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"


The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network

Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"

Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis

Any service in present use that uses Basic should be switched to Digest as soon as practical

OAuth
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:
                WWW-Authenticate: OAuth realm="http://sp.example.com/"

Authorization Header:
                Authorization: OAuth realm="http://sp.example.com/",
                oauth_consumer_key="0685bd9184jfhq22",
                oauth_token="ad180jjd733klru7",
                oauth_signature_method="HMAC-SHA1",
                oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
                oauth_timestamp="137131200",
                oauth_nonce="4572616e48616d6d65724c61686176",
                oauth_version="1.0"

OAuth Core 1.0, the main protocol, was finalized in December
It is stable and ready to be implemented
Libraries are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl
分享到:
评论
1 楼 andyjackson 2010-08-20  
大湿你好屌!!!

相关推荐

    Authentication- IO Capabilities.cywrk.Archive01.zip

    4. **身份验证协议**:可能涵盖了各种身份验证协议,如HTTP Basic Auth、Digest Auth、OAuth2.0等,以及它们在实际应用中的使用。 5. **访问控制**:文件可能讨论了权限管理,如RBAC(基于角色的访问控制)和ABAC...

    WebApi认证共8页.pdf.zip

    WebApi支持多种认证机制,如Basic Authentication、Digest Authentication、Windows Authentication和OAuth2等。理解这些机制的工作原理和应用场景是学习WebApi认证的基础。 2. 基本身份验证(Basic Authentication...

    java http鉴权(spring boot 工程)

    常见的HTTP鉴权机制有基本认证(Basic Authentication)、摘要认证(Digest Authentication)以及OAuth2等。 在Spring Boot中,我们可以利用Spring Security来处理HTTP鉴权。Spring Security是一个功能强大的安全...

    自己写的一个Http鉴权Demo

    在HTTP鉴权中,这样的服务可能会使用预定义的策略,例如基本认证(Basic Authentication)、摘要认证(Digest Authentication)或者OAuth等。 UtilHttpAuth.java则可能是包含通用HTTP鉴权辅助方法的工具类。它可能...

    webservice认证和调用

    2. **摘要认证(Digest Authentication)**:相比基本认证,摘要认证更加安全。它使用哈希函数对密码进行处理,避免了明文传输密码的风险。 3. **WS-Security**:这是一种为Web服务提供安全的规范,包括签名、加密...

    laminas-authentication:提供用于身份验证的API,并包括针对常见用例场景的具体身份验证适配器

    - **HttpBasic**: 实现了HTTP基本认证,通常用于Web服务器身份验证。 - **HttpDigest**: 提供HTTP摘要认证,相对于基本认证更安全,因为它不通过网络发送明文密码。 - **RememberMe**: 支持“记住我”功能,以便在...

    restful restful所需要的jar包

    * Supports HTTP Basic and Digest authentication (client and server side) * Supports Amazon S3 authentication (client side) * Supports OAuth authentication (server side) * Supports HTTPS (HTTP over...

    Authentication

    2. 摘要认证(Digest Authentication):一种更安全的HTTP认证方式,使用哈希算法处理密码,避免在网络中明文传输。 3. JSON Web Token(JWT):一种基于Token的认证方式,包含用户信息和过期时间,由服务器签发,...

    使用cxf的webservice安全验证

    在CXF中,可以通过在Spring配置文件中添加`&lt;security:basic-authentication&gt;`元素来启用此功能。 2. **Digest认证**:相比基本认证,Digest认证更安全,因为它不直接在请求中传输明文密码。在CXF中,可以使用`...

    前端开源库-passport-http

    这个插件主要实现了HTTP基本认证(HTTP Basic Authentication)和摘要式认证(Digest Authentication)这两种常见的身份验证机制。这两种方法都是基于客户端和服务器之间的无状态交互,使得它们非常适合用于RESTful ...

    使用C#获取远程图片 Form用户名与密码Authorization认证的实现

    在很多网络应用中,图片资源可能受到安全控制,只有提供正确的身份验证信息才能访问。C#提供了HttpWebRequest类,使得我们可以方便地处理这种场景。...例如,某些服务器可能需要使用不同的认证类型,如Digest或OAuth。

    Web-Authentication:Web认证实践

    - Basic Authentication:最简单的HTTP认证方式,用户凭据以Base64编码的形式包含在请求头中,但安全性较低,因为数据未加密。 - Digest Authentication:改进版的Basic Auth,使用哈希算法对密码进行保护,提高了...

    Cancel Authentication Prompts-crx插件

    常见的身份验证机制包括Basic Auth、Digest Auth以及OAuth等。这种机制是为了确保只有授权的用户才能访问特定的网页或服务,提高安全性。 然而,这种机制在实际使用中可能会带来不便,尤其是在需要频繁切换账户或...

    转载的简单的网络验证源码

    1. **HTTP身份验证**:基于HTTP协议的身份验证,包括基本认证(Basic Authentication)和摘要认证(Digest Authentication)。基本认证将用户名和密码以Base64编码的形式发送,而摘要认证则更安全,因为它不直接传输...

    webservice.zip

    2. 摘要认证(Digest Authentication):相比基本认证,摘要认证更安全,因为它不以明文形式在网络上传输密码。服务器提供一个挑战(nonce),客户端使用这个挑战、用户名、密码和一些算法生成一个响应,然后将响应...

    Python requests HTTP验证登录实现流程

    HTTP验证通常包括几种类型,如基本认证(Basic Authentication)、摘要认证(Digest Authentication)等。在Python的requests库中,我们主要关注基本认证,因为这是最简单且常见的认证方式。基本认证是通过在HTTP...

    自动登录浏览器

    常见的身份验证方式有基本认证(Basic Authentication)、摘要认证(Digest Authentication)和令牌(Token-Based Authentication)。在Web应用中,最常用的是基于Cookie的身份验证。当用户首次登录成功后,服务器会...

    http-验证:Trilha初始-démomo教程:validacoes de requisicoes

    1. **HTTP身份验证**:这是HTTP验证的核心,包括基本认证(Basic Authentication)、摘要认证(Digest Authentication)和OAuth2等。基本认证通过Base64编码的用户名和密码进行;摘要认证更安全,因为它不直接发送...

    专题资料(2021-2022年)4、Spring Security 安全权限管理手册.docx

    - **验证特点**:Spring Security 支持多种认证方式,如HTTP Basic、Digest、Form Login等,并且允许加密格式的自定义。同时,它具有可扩展性,可以替换组件并支持本地化输出。 - **授权特点**:框架支持多种授权...

    无标题auth-master

    在Web应用中,通常会实现基于HTTP的认证机制,如基本认证(Basic Authentication)和Digest认证。此外,OAuth2.0和OpenID Connect是现代Web服务中广泛使用的开放标准,允许用户通过第三方服务进行身份验证。 2. **...

Global site tag (gtag.js) - Google Analytics