Summary Certification Digest authentication←http1.1 proposed alternative method of Basic authentication
Server-side to challenge the nonce, the client to the user name, password, nonce,http method, the requested URI and other information based on the response information generated by the authentication method.
※ Clear Text Pass with no password
Summary certification steps:
1. The client accesses a resource protected by HTTP Digest authentication.
2. The server returns 401 status and nonce information, requiring the client to authenticate.
http/1.1 401 Unauthorized
Www-authenticate:digest
Realm= "Testrealm@host.com",
Qop= "Auth,auth-int",
Nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093",
Opaque= "5ccc069c403ebaf9f0171e9517f40e41"
3. The client will return the digest information to the server with the user name, password, nonce value, HTTP method, and the requested URI as the basis for the checksum (the default is the MD5 algorithm).
Five information required for certification:
Realm: Contains information in response
nonce: Contains information in response
Username: User Name
Digest-uri: URI of the request
response: With the above four information plus password information, using the MD5 algorithm to derive the string.
Authorization:digest
Username= "Mufasa", ← Client-known information
Realm= "testrealm@host.com", ← Server-side Challenge Response information
Nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", ← Server-side Challenge Response information
Uri= "/dir/index.html", ← Client-known information
qop=auth,← server-Side Challenge Response information
nc=00000001,← Client-Computed information
Cnonce= "0a4f113b", ← Client-Calculated client Nonce
Response= "6629fae49393a05397450978507c4ef1", ← Final summary information HA3
Opaque= "5ccc069c403ebaf9f0171e9517f40e41" ← Server-Side Challenge Response information
4. If the authentication is successful, the appropriate resource is returned. If authentication fails, the 401 status is still returned, requiring reauthentication.
Special NOTES:
1. Avoid passing passwords as plaintext on the network, which improves the security of HTTP authentication.
2. When a user sets a password for a realm for the first time, the server saves the hash value (HA1) based on the user name, realm, and password, rather than the password itself.
3. If qop=auth-int, when calculating ha2, in addition to including the HTTP method, the URI path, also includes the request entity body, thus preventing put and post requests to indicate that the person is tampered with.
4. However, since the nonce itself can be used for Digest authentication, it is not possible to ensure the security of the data passed over after authentication.
※nonce: A random string that returns a different nonce each time a 401 response is returned.
※nounce: Random string, each request gets a different nounce.
※MD5 (Message Digest algorithm 5, Information Digest algorithm)
① User name: Realm: Password ⇒HA1
②http Method: URI⇒HA2
③ha1:nonce:nc:cnonce:qop:ha2⇒ha3
Wsse (ws-security) certification ← Extended HTTP Authentication
Wsse UsernameToken
Server-side to challenge the nonce, the client to the user name, password, nonce,http method, the requested URI and other information based on the response information generated by the authentication method.
※ Clear Text Pass with no password
Wsse Certification steps:
1. The client accesses a resource that is protected by Wsse authentication.
2. The server returns 401 status and requires the client to authenticate.
http/1.1 401 Unauthorized
Www-authenticate:wsse
Realm= "Testrealm@host.com",
profile= "UsernameToken" ← Server expects you to generate responses with UsernameToken rules
※usernametoken rule: The client generates a nonce and calculates the hash based on the nonce, password, and current day.
3. The client generates a Nonce value and calculates the hash value back to the server, based on the nonce value, the password, and the current day.
Authorization:wsse profile= "UsernameToken"
X-wsse:usernametoken
Username= "Mufasa",
Passworddigest= "z2y ...",
Nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093",
Created= "2010-01-01t09:00:00z"
4. If the authentication is successful, the appropriate resource is returned. If authentication fails, the 401 status is still returned, requiring reauthentication.
Special NOTES:
1. Avoid passing passwords as plaintext on the network.
2. No settings are required on the server side.
3. The server side must save the password itself, otherwise it cannot be authenticated.
Dumb Cat:
$curl = Curl_init (); Curl_setopt_array ($curl, Array (
Curlopt_url = "Http://localhost/merchant/test/uokosvc_tests/testSend",
Curlopt_returntransfer = True,
curlopt_encoding = "",
Curlopt_maxredirs = 10,
Curlopt_timeout = 30,
Curlopt_http_version = Curl_http_version_1_1,
Curlopt_customrequest = "GET",
Curlopt_postfields = "-----011000010111000001101001\r\ncontent-disposition:form-data; Name=\ "11\" \r\n\r\n11\r\n-----011000010111000001101001--",
Curlopt_httpheader + = Array (
"Authorization:digest realm=\" myrealm\ ", nonce=\" 47alf7cf25ce7\ ", algorithm=md5,qop=\" auth\ ",
"Cache-control:no-cache",
"Content-type:multipart/form-data; boundary=---011000010111000001101001 ",
"Postman-token:15d74451-86d0-e02b-3990-598cd1fec7c6"
),
));
$response = curl_exec ($curl);
$err = Curl_error ($curl);
Curl_close ($curl);
if ($err) {
echo "CURL Error #:". $err;
} else {
Echo $response;
}