HTTP Request Header: authorizationhttp Response Header: www-authenticate HTTP Authentication
Based on the question/response (
Challenge/response.
◆ Basic AuthenticationAuthentication method proposed by ← http1.0 The client authenticates each realm by providing the user name and password. ※Plaintext Transmission containing passwords
Basic Authentication steps:1. The client accesses a resource protected by basic HTTP authentication. 2. The server returns status 401, requiring the client to provide the user name and password for authentication. 401 unauthorized www-Authenticate: Basic realm = "wallyworld" 3. The client uses base64 to encode the user name and password, and transmits the password to the server in non-encrypted plaintext mode. Authorization: Basic xxxxxxxxxx. 4. If the authentication succeeds, the corresponding resource is returned. If the authentication fails, the system returns the 401 status and requires that the authentication be performed again.
Special notes
:1. HTTP is stateless. The same client is required to authenticate each access to resources in the same realm. 2. The client usually caches the user name and password and saves them together with authentication realm. Therefore, you do not need to re-enter the user name and password. 3. Non-encrypted plaintext transmission, although converted into strings that are not easily recognized by people, cannot prevent Malicious theft of user names and passwords.
◆ Digest authentication digest AuthenticationAlternative methods for Basic Authentication proposed by ingress http1.1 The server authenticates the response information generated based on the user name, password, nonce, HTTP method, and request URI. ※Plaintext transfer without a password
Abstract:1. The client accesses a resource protected by HTTP digest authentication. 2. If the server returns information such as status 401 and nonce, the client must perform authentication. HTTP/1.1 401 unauthorizedwww-Authenticate:
DigestRealm = "[email protected]", qop = "auth, Auth-int", Nonce = "signature", opaque = "5ccc069c403ebaf9f0171e9517f40e41" 3. the client returns the digest information encrypted (MD5 Algorithm by default) based on the user name, password, Nonce value, HTTP method, and requested URI to the server. Five pieces of information required for authentication :? Realm: Does the response contain information? Nonce: Does the response contain information? Username: user name? Digest-Uri: Requested Uri? Response: The above four information plus the password information, using the MD5 Algorithm to obtain the string. Authorization:
DigestUsername = "Mufasa", listener client known information realm = "[email protected]", listener server-side question response nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093 ", token server-side question response information uri = "/DIR/index.html", Token client-known information qop = auth, Token server-side question response information NC = 00000001, the token client calculates the information cnonce = "0a4f113b", and the token client calculates the client nonce.
Response = "6629fae49393a05425978507c4ef1", the final summary of Ha3Opaque = "5ccc069c403ebaf9f0171e9517f40e41" Listen to server question response information 4. If the authentication succeeds, the corresponding resource is returned. If the authentication fails, the system returns the 401 status and requires that the authentication be performed again.
Note:1. Avoid passing passwords as plain text on the network, which improves the security of HTTP authentication. 2. When a user sets a password for a realm for the first time, the server saves the hash value (HA1) calculated based on the user name, realm, and password, rather than the password itself. 3. If qop = auth-int, in the calculation of ha2, in addition to the HTTP method and URI path, it also includes the Request Entity to prevent the put and post requests from being tampered. 4. However, since nonce itself can be used for digest authentication, the security of the data transmitted after authentication cannot be ensured.
※Nonce: a random string. Each time a 401 response is returned, a different nonce is returned.
※Nounce: random string. Each request returns a different nounce.
※Md5 (Message Digest algorithm 5, information digest algorithm) ① User name: realm: Password HA1 ② HTTP Method: URI digest ha2 ③ HA1: nonce: NC: cnonce: qop: ha2 Ha3
◆ Wsse (WS-Security) authentication extension HTTP Authentication The wsse userNameToken server authenticates the response information generated by the client based on the user name, password, nonce, HTTP method, and request URI. ※Plaintext transfer without a password
Wsse authentication steps:1. The client accesses a resource protected by wsse authentication. 2. The server returns status 401, requiring the client to perform authentication. HTTP/1.1 401 unauthorizedwww-Authenticate:
WsseRealm = "[email protected]", profile = "userNameToken" Login Server expects you to generate a response using the userNameToken rule ※usernametoken rule: the client generates a nonce Based On This nonce, calculate the hash value of the password and the current day. 3. The client generates a nonce value and returns the hash value to the server based on the value of this nonce and password. Authorization:
WsseProfile = "userNameToken" X-WSSE: usernametokenusername = "Mufasa", passworddigest = "z2y ...... ", Nonce =" dcd98b7102dd2f0e8b11d0f600bfb0c093 ", created =" 2010-01-01t09: 00: 00Z "4. if the authentication succeeds, the corresponding resource is returned. If the authentication fails, the system returns the 401 status and requires that the authentication be performed again.
Note:1. Avoid passing passwords as plain text on the network. 2. You do not need to set it on the server. 3. The password must be saved on the server; otherwise, authentication cannot be performed.
HTTP authentication method