- 浏览: 2682862 次
- 性别:
- 来自: 北京
文章分类
最新评论
-
80后的童年2:
深入浅出MongoDB应用实战开发网盘地址:https://p ...
MongoDB入门教程 -
shliujing:
楼主在不是精通java和php的前提下,请不要妄下结论。
PHP、CakePHP哪凉快哪呆着去 -
安静听歌:
希望可以一给一点点注释
MySQL存储过程之代码块、条件控制、迭代 -
qq287767957:
PHP是全宇宙最强的语言!
PHP、CakePHP哪凉快哪呆着去 -
rryymmoK:
深入浅出MongoDB应用实战开发百度网盘下载:链接:http ...
MongoDB入门教程
HTTP Authentication
The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource
The authentication parameter realm is defined for all authentication schemes:
A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request
Basic Access Authentication Scheme
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server
To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials
Digest Access Auhtenticaton Scheme
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:
The Authorization Request Header:
The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response
Example:
The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network
Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"
Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis
Any service in present use that uses Basic should be switched to Digest as soon as practical
OAuth
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:
Authorization Header:
OAuth Core 1.0, the main protocol, was finalized in December
It is stable and ready to be implemented
Libraries are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl
auth-scheme = token auth-param = token "=" ( token | quoted-string ) challenge = auth-scheme 1*SP 1#auth-param
The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource
D:\projects\maui>curl -I http://ar-code.svn.engineyard.com/ HTTP/1.1 401 Authorization Required Date: Fri, 09 Jan 2009 04:15:16 GMT Server: Apache WWW-Authenticate: Basic realm="Engine Yard SVN Cluster: ar-code" Content-Type: text/html; charset=iso-8859-1
The authentication parameter realm is defined for all authentication schemes:
realm = "realm" "=" realm-value realm-value = quoted-string
A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request
credentials = auth-scheme #auth-param
Basic Access Authentication Scheme
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server
challenge = "Basic" realm credentials = "Basic" basic-credentials
WWW-Authenticate: Basic realm="WallyWorld"
To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials
basic-credentials = base64-user-pass base64-user-pass = <base64 encoding of user-pass, except not limited to 76 char/line> user-pass = userid ":" password userid = *<TEXT excluding ":"> password = *TEXT
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Digest Access Auhtenticaton Scheme
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:
challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | token
The Authorization Request Header:
credentials = "Digest" digest-response digest-response = 1#( username | realm | nonce | digest-uri | response | [ algorithm ] | [cnonce] | [opaque] | [message-qop] | [nonce-count] | [auth-param] ) username = "username" "=" username-value username-value = quoted-string digest-uri = "uri" "=" digest-uri-value digest-uri-value = request-uri ; As specified by HTTP/1.1 message-qop = "qop" "=" qop-value cnonce = "cnonce" "=" cnonce-value cnonce-value = nonce-value nonce-count = "nc" "=" nc-value nc-value = 8LHEX response = "response" "=" request-digest request-digest = <"> 32LHEX <"> LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"
The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response
AuthenticationInfo = "Authentication-Info" ":" auth-info auth-info = 1#(nextnonce | [ message-qop ] | [ response-auth ] | [ cnonce ] | [nonce-count] ) nextnonce = "nextnonce" "=" nonce-value response-auth = "rspauth" "=" response-digest response-digest = <"> *LHEX <">
Example:
HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"
The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network
Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"
Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis
Any service in present use that uses Basic should be switched to Digest as soon as practical
OAuth
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:
WWW-Authenticate: OAuth realm="http://sp.example.com/"
Authorization Header:
Authorization: OAuth realm="http://sp.example.com/", oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
OAuth Core 1.0, the main protocol, was finalized in December
It is stable and ready to be implemented
Libraries are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl
发表评论
-
leveldb资料整理
2011-12-28 19:50 10845leveldb介绍 http://code.google.co ... -
HTTP1.1 Notes 8, Header Field Definitions
2008-12-31 13:13 4451http://www.w3.org/Protocols/rfc ... -
HTTP1.1 Notes 7, Status Code Definitions
2008-12-30 15:01 3303Informational 1xx This class of ... -
HTTP1.1 Notes 6, Method Definitions
2008-12-30 12:30 2505Safe and Idempotent Methods In ... -
HTTP1.1 Notes 5, Connections
2008-12-29 13:25 2732Persistent Connections advantag ... -
HTTP1.1 Notes 4, Request & Response & Entity
2008-12-26 13:25 4197Request Request = ... -
HTTP1.1 Notes 3, HTTP Message
2008-12-26 10:57 4216Message Types HTTP-mess ... -
HTTP1.1 Notes 2, Protocol Parameters
2008-12-24 13:12 2715HTTP Version HTTP-Versio ... -
HTTP1.1 Notes 1, Terminology & ABNF
2008-12-23 17:03 2838http://www.w3.org/Protocols/rfc ... -
以后都用MindManager做年度总结和年度计划
2008-12-19 19:54 60212008总结如下: 2009计划如下: 希望自己能够戒骄 ... -
Skip List 跳表
2008-12-19 15:54 5557跳表是个概率性的的数据结构,由William Pugh在199 ... -
数据仓库toolkit笔记1,Dimensional Modeling Primer
2008-12-15 18:49 2429数据仓库管理员的主要职责: 1,通过业务领域、工作职责和计算机 ... -
CLRS笔记15,动态规划
2008-12-10 18:14 1888动态规划算法的实质是分治思想和解决冗余,因此,动态规划是一种将 ... -
Web搜索引擎原理和技术
2008-12-08 12:06 4860主要的三个功能模块: ... -
CLRS笔记12,二叉查找树/红黑树
2008-12-04 17:32 2828二叉查找树 二叉查找树是一颗二叉树,并且每个节点x的左子树中所 ... -
CLRS笔记11,Hash Table
2008-12-03 15:02 2019Hash Table是实现动态集合在O(1)时间内的INSER ... -
CLRS笔记10、基本数据结构
2008-11-28 14:28 1910数学中的集合是不变的 ... -
CLRS笔记8,线性时间排序(counting、radix、bucket sort)
2008-11-27 11:13 3497线性时间排序即时间复杂度为Θ(n)的排序,主要有计数排序、基数 ... -
How to be Computer Game Developer?
2008-07-21 13:35 1269http://www.beyondrails.com/blog ... -
游戏引擎剖析
2008-07-21 11:59 2405转载一篇《游戏引擎剖析》系列,了解游戏引擎开发相关的知识。 ...
相关推荐
4. **身份验证协议**:可能涵盖了各种身份验证协议,如HTTP Basic Auth、Digest Auth、OAuth2.0等,以及它们在实际应用中的使用。 5. **访问控制**:文件可能讨论了权限管理,如RBAC(基于角色的访问控制)和ABAC...
WebApi支持多种认证机制,如Basic Authentication、Digest Authentication、Windows Authentication和OAuth2等。理解这些机制的工作原理和应用场景是学习WebApi认证的基础。 2. 基本身份验证(Basic Authentication...
常见的HTTP鉴权机制有基本认证(Basic Authentication)、摘要认证(Digest Authentication)以及OAuth2等。 在Spring Boot中,我们可以利用Spring Security来处理HTTP鉴权。Spring Security是一个功能强大的安全...
在HTTP鉴权中,这样的服务可能会使用预定义的策略,例如基本认证(Basic Authentication)、摘要认证(Digest Authentication)或者OAuth等。 UtilHttpAuth.java则可能是包含通用HTTP鉴权辅助方法的工具类。它可能...
2. **摘要认证(Digest Authentication)**:相比基本认证,摘要认证更加安全。它使用哈希函数对密码进行处理,避免了明文传输密码的风险。 3. **WS-Security**:这是一种为Web服务提供安全的规范,包括签名、加密...
- **HttpBasic**: 实现了HTTP基本认证,通常用于Web服务器身份验证。 - **HttpDigest**: 提供HTTP摘要认证,相对于基本认证更安全,因为它不通过网络发送明文密码。 - **RememberMe**: 支持“记住我”功能,以便在...
* Supports HTTP Basic and Digest authentication (client and server side) * Supports Amazon S3 authentication (client side) * Supports OAuth authentication (server side) * Supports HTTPS (HTTP over...
2. 摘要认证(Digest Authentication):一种更安全的HTTP认证方式,使用哈希算法处理密码,避免在网络中明文传输。 3. JSON Web Token(JWT):一种基于Token的认证方式,包含用户信息和过期时间,由服务器签发,...
在CXF中,可以通过在Spring配置文件中添加`<security:basic-authentication>`元素来启用此功能。 2. **Digest认证**:相比基本认证,Digest认证更安全,因为它不直接在请求中传输明文密码。在CXF中,可以使用`...
这个插件主要实现了HTTP基本认证(HTTP Basic Authentication)和摘要式认证(Digest Authentication)这两种常见的身份验证机制。这两种方法都是基于客户端和服务器之间的无状态交互,使得它们非常适合用于RESTful ...
在很多网络应用中,图片资源可能受到安全控制,只有提供正确的身份验证信息才能访问。C#提供了HttpWebRequest类,使得我们可以方便地处理这种场景。...例如,某些服务器可能需要使用不同的认证类型,如Digest或OAuth。
- Basic Authentication:最简单的HTTP认证方式,用户凭据以Base64编码的形式包含在请求头中,但安全性较低,因为数据未加密。 - Digest Authentication:改进版的Basic Auth,使用哈希算法对密码进行保护,提高了...
常见的身份验证机制包括Basic Auth、Digest Auth以及OAuth等。这种机制是为了确保只有授权的用户才能访问特定的网页或服务,提高安全性。 然而,这种机制在实际使用中可能会带来不便,尤其是在需要频繁切换账户或...
1. **HTTP身份验证**:基于HTTP协议的身份验证,包括基本认证(Basic Authentication)和摘要认证(Digest Authentication)。基本认证将用户名和密码以Base64编码的形式发送,而摘要认证则更安全,因为它不直接传输...
2. 摘要认证(Digest Authentication):相比基本认证,摘要认证更安全,因为它不以明文形式在网络上传输密码。服务器提供一个挑战(nonce),客户端使用这个挑战、用户名、密码和一些算法生成一个响应,然后将响应...
HTTP验证通常包括几种类型,如基本认证(Basic Authentication)、摘要认证(Digest Authentication)等。在Python的requests库中,我们主要关注基本认证,因为这是最简单且常见的认证方式。基本认证是通过在HTTP...
常见的身份验证方式有基本认证(Basic Authentication)、摘要认证(Digest Authentication)和令牌(Token-Based Authentication)。在Web应用中,最常用的是基于Cookie的身份验证。当用户首次登录成功后,服务器会...
1. **HTTP身份验证**:这是HTTP验证的核心,包括基本认证(Basic Authentication)、摘要认证(Digest Authentication)和OAuth2等。基本认证通过Base64编码的用户名和密码进行;摘要认证更安全,因为它不直接发送...
- **验证特点**:Spring Security 支持多种认证方式,如HTTP Basic、Digest、Form Login等,并且允许加密格式的自定义。同时,它具有可扩展性,可以替换组件并支持本地化输出。 - **授权特点**:框架支持多种授权...
在Web应用中,通常会实现基于HTTP的认证机制,如基本认证(Basic Authentication)和Digest认证。此外,OAuth2.0和OpenID Connect是现代Web服务中广泛使用的开放标准,允许用户通过第三方服务进行身份验证。 2. **...