Web authentication Mode--http Basic authentication

Tag: text indicates that the Web API has a height of PSR user input via effect

HTTP Basic Authentication is the authentication method in the Web system defined in the HTTP protocol. Reference Wiki

The main implementation mechanisms are as follows:

1. The user accesses the Web resource anonymously through the browser.

2. The Web server detects that the Web resource requires authenticated users to be able to access it. Returns response (status code 401) to the browser. The response will carry the following header:

Www-authenticate: {Authentication schema} realm= "{The Realm of the resource}"

For the header, value:

Authentication schema is the authentication method used to represent the resource, and the Http Basic authentication corresponds to the value of basic

Realm is a logical division of Web resources. To facilitate different types of resources for different authentication methods. This is self-defining.

3. When the Web browser receives response, a dialog box pops up to let the user enter the user name and password. Then resend the request to the Web resource. The validation information entered by the user is included in the authorization header.

Authorization:basic qwxhzgrpbjppcgvuu2vzyw1l

The basic here is the authentication method, and the subsequent string is the string that is Base64 encoded with the user name and password of the user entered in a particular format combination (Username:name).

4. After the Web server receives the new request, the authorization header is decoded and verified, and the resource is returned if the validation is passed. Otherwise returns 401

The following is a demonstration of the implementation of basic validation through ASP.

First we assume that there is already a Web API (GET http://localhost/api/values), and we need to implement basic validation on it.

1. We add a authentication middleware that is responsible for verifying

 Public classauthenticatemiddleware{Private ReadOnlyrequestdelegate _next;  PublicAuthenticatemiddleware (requestdelegate next) {_next=Next; }   PublicTask InvokeAsync (HttpContext context) {if(Context = =NULL)    {      Throw NewSystem.ArgumentNullException (nameof (context)); }    if(!context. Request.Headers.ContainsKey ("Authorization") {context. Response.statuscode=401; Context. response.headers["www-authenticate"] ="Basic realm= ' My Realm '"; returntask.fromresult<Object> (NULL); }    return_next.  Invoke (context); }}

2. Add middleware to Pipeline

 Public void Configure (Iapplicationbuilder app, Ihostingenvironment env) {            if  (env. Isdevelopment ())            {                app. Usedeveloperexceptionpage ();            }             Else             {                app. Usehsts ();            }             // Register Middleware            App. Usemiddleware<authenticatemiddleware>();            App. Usehttpsredirection ();            App. Usemvc (); }

So that all our resources are protected. However, any content entered by the user can be verified by ^_^. Only as a demonstration here

Look at the effect:

When we access the resource, the browser prompts us to enter the user name and password. After the input, the browser sends the request again. and bring the authorization head:

Then we can see the data of the resource being accessed. The browser caches the value of authorization for a period of time (different browser implementations) and then carries it in subsequent requests.

Basic verification is actually very insecure, the value of authorization is only base64 encoded, but the security is very low, can be directly anti-coding. Therefore, basic validation is best used with HTTPS to ensure security.

Web authentication Mode--http Basic authentication