Interface Test VI (Basic Authentication) _ Interface test

Turn from: http://www.360doc.com/content/16/0128/15/30056680_531241482.shtml

The HTTP protocol is stateless, like two blind people, unable to identify each other. There is no correspondence between this request and the last request of the same client, and it is not known to the HTTP server that the two requests are from the same client

The server needs to understand the identity of the access user in some way. Once the server knows the identity of the user, it is possible to determine which transactions and resources the user can access. Authentication means proving to the client who is accessing the user. Typically , one or more HTTP Basic authentication is authenticated by providing a username and password.

The client interacts with the Web server through the HTTP protocol, and the client generally does not use cookies, but instead sends the ' username + colon + password ' string BASE64 encoded in the header authorization in HTTP request to the service end, This is called HTTP base authentication (Basic authentication)

When a browser accesses a Web site that uses a Basic authentication (such as if we were to download an attachment http://120.25.145.237/upload/forum.php?mod=viewthread&tid=15 in a forum), The browser will prompt you to login (enter username and password), as shown below

When a browser accesses a Web site that uses a Basic authentication, the browser prompts you to enter a username and password, as shown below
If the username password is incorrect, the server will return 401 of the following figure

Two, the principle of authentication :
Iii. HTTP Basic authentication process

The first step: the client sends HTTP request to the server,

Step two: Because the request does not contain the authorization header, the server returns a 401 unauthozied to the client and adds information to the response header ' Www-authenticate '.

The third step: the client to the user name and password with BASE64 encoding, placed in the authorization header sent to the server, authentication success.

Fourth step: The server will authorization header username password out, for verification, if the verification through, will send resources to the client according to the request
Using the Auth tab under Fiddler inspectors, you can easily see the user name and password:


Four, HTTP Basic authentication and HTTPS

The ' username + colon + password ' encoded by the BASE64 string although with the naked eye can not see, but with the program is easy to decrypt, the above image to see Fiddler directly to the decryption. So HTTP request on the network, if the use of HTTP transmission is very unsafe. Generally, HTTPS is used for transmission, and HTTPS is encrypted, so it is more secure.

Five, HTTP oauth authentication

OAuth for HTTP, the authorization header is placed in not the username password, but a token.

Microsoft's SkyDrive is to use this way, the following figure
vi. Other certifications

In addition to basic certification (authentication), there are also summary Certification Digest authentication, Wsse (ws-security) certification

vii. security flaws in basic certification

The Basic authentication sends the username and the password through the network, although carries on the base-64 code may hide the user name and the password, but is easy to decode through the reverse coding process.

Even if the password is encrypted in a more difficult to decode way, third party users can still capture the modified username and password and gain access to the server through replay attacks.

Many users use the same username and password for different services, and the Basic authentication sends a username and password directly, which poses a threat to some important services, such as online banking sites.

The Basic authentication does not provide any protection against the broker and the middleman nodes, they do not modify the authentication header, but they modify the remainder of the message, which seriously changes the nature of the transaction.

Fake servers can easily cheat on basic certifications. If the user actually links to a malicious server or gateway, can let the user believe that he linked is a basic authentication protected legitimate host, the attacker can request the user to enter the password.

The site in IIS opens anonymous authentication by default and can directly access