HTTP request Header: Authorizationhttp response header: Www-authenticate HTTP Authentication
based onQuestions
/Response (
challenge/response) authentication mode.
Basic Certification Authentication←http1.0 proposed authentication method client for each realm, by providing a user name and password to authenticate the way. ※ Clear text message with password
Basic Certification steps:1. The client accesses a resource protected by HTTP Basic authentication. 2. The server returns a status of 401, requiring the client to provide a user name and password for authentication. 401 Unauthorized www-authenticate:basic realm= "Wallyworld" 3. The client encodes the user name password entered with Base64 and transmits it to the server in a non-encrypted clear text mode. Authorization:basic xxxxxxxxxx. 4. If the authentication is successful, the appropriate resource is returned. If authentication fails, the 401 status is still returned, requiring reauthentication.
Special Notes
:1. HTTP is stateless, and the same client will be required to authenticate every access to a resource in the same realm. 2. The client usually caches the username and password and saves it with authentication realm, so you don't normally need to re-enter your username and password. 3. Transmitted in non-encrypted plaintext, although converted to a string that is not easily recognizable, it does not prevent malicious misappropriation of user name passwords.
Abstract Certified Digest authentication←http1.1 's alternative approach to Basic authentication server-side to challenge the nonce, the client to the user name, password, nonce,http method, the requested URI and other information based on the response information generated by the authentication method. ※ Clear Text Pass with no password
Summary certification steps:1. The client accesses a resource protected by HTTP Digest authentication. 2. The server returns 401 status and nonce information, requiring the client to authenticate. http/1.1 401 Unauthorizedwww-authenticate:
Digestrealm= "[Email protected]", qop= "Auth,auth-int", nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque= " 5ccc069c403ebaf9f0171e9517f40e41 "3. The client will return the digest information to the server with the user name, password, nonce value, HTTP method, and the requested URI as the basis for the checksum (the default is the MD5 algorithm). Five information required for certification:? Realm: The response contains information? Nonce: The response contains information? Username: User Name? Digest-uri: URI of the request? Response: With the above four information plus password information, using the MD5 algorithm to derive the string. Authorization:
DigestUsername= "Mufasa", ← Client known information realm= "[email protected]", ← Server-side Challenge Response Information nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", ← Server-side Challenge Response Information uri= "/dir/index.html", ← Client-known information qop=auth,← server-side Challenge Response Information nc=00000001,← Client-computed information cnonce= "0a4f113b", ← Client Nonce computed by clients
response= "6629fae49393a05397450978507c4ef1", ← Final summary information HA3Opaque= "5ccc069c403ebaf9f0171e9517f40e41" ← Server-Side Challenge Response Information 4. If the authentication succeeds, the corresponding resource is returned. If authentication fails, the 401 status is still returned, requiring reauthentication.
Special notes:1. Avoid passing passwords as plaintext on the network, which improves the security of HTTP authentication. 2. When a user sets a password for a realm for the first time, the server saves the hash value (HA1) based on the user name, realm, and password, rather than the password itself. 3. If qop=auth-int, when calculating ha2, in addition to including the HTTP method, the URI path, also includes the request entity body, thus preventing put and post requests to indicate that the person is tampered with. 4. However, since the nonce itself can be used for Digest authentication, it is not possible to ensure the security of the data passed over after authentication.
※ nonce:随机字符串,每次返回401响应的时候都会返回一个不同的nonce。 ※ nounce:随机字符串,每个请求都得到一个不同的nounce。※MD5 (Message Digest algorithm 5, Information Digest algorithm) ① user name: Realm: Password ⇒ha1②http method: URI⇒HA2③HA1:NONCE:NC:CN Once:qop:ha2⇒ha3
Wsse (ws-security) certification ← Extended HTTP AuthenticationWsse UsernameToken server to challenge the Nonce, the client based on the user name, password, nonce,http method, the requested URI and other information to generate response information to authenticate the way. ※ Clear Text Pass with no password
Wsse Certification steps:1. The client accesses a resource that is protected by Wsse authentication. 2. The server returns 401 status and requires the client to authenticate. http/1.1 401 Unauthorizedwww-authenticate:
Wsserealm= "[Email protected]", profile= "UsernameToken" ← Server expects you to generate a response UsernameToken rule with ※usernametoken rule: The client generates a nonce, The hash value is then calculated based on the nonce, the password, and the current day. 3. The client generates a Nonce value and calculates the hash value back to the server, based on the nonce value, the password, and the current day. Authorization:
WsseProfile= "UsernameToken" x-wsse:usernametokenusername= "Mufasa", passworddigest= "z2y ...", nonce= " dcd98b7102dd2f0e8b11d0f600bfb0c093 ", created=" 2010-01-01t09:00:00z "4. If the authentication succeeds, the corresponding resource is returned. If authentication fails, the 401 status is still returned, requiring reauthentication.
Special notes:1. Avoid passing passwords as plaintext on the network. 2. No settings are required on the server side. 3. The server side must save the password itself, otherwise it cannot be authenticated.
HTTP authentication method
