确定 web http 身份验证方法
如何确定 REST Web 服务是否使用 Basic、Kerberos、NTLM 还是许多其他身份验证方法之一?
How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
当您发送未经身份验证的请求时,服务必须以“HTTP/1.1 401 Unauthorized”进行响应,并且响应包含一个
WWW-Authenticate
标头,指定所需的身份验证方案(Basic
) code>、Digest
)、安全领域和任何其他特定值(例如 Digets 的随机数)。因此,如果服务器响应:它需要摘要式身份验证。如果响应看起来像:
那么它需要基本身份验证。一些(糟糕的)实施的服务器/站点不能正确处理基本信息,而是直接响应 403 Forbidden,而不是首先进行挑战。
NTLM 与服务器响应 401 和值为
NTLM
的 WWW-Authenticate 标头类似,但没有官方的公共规范,因为它是 Microsoft 专有的。有各种反向工程化描述。不幸的是,REST 没有附带 WSDL 风格的服务描述来发现先验使用的身份验证方案。
When you send an unauthenticated request the service has to respond with a "HTTP/1.1 401 Unauthorized" and the response contains a
WWW-Authenticate
header that specifies what authentication scheme is expected (Basic
,Digest
), the security realm and any other specific value (like Digets's nonce). So if the server responds with:it wants a Digest authentication. If the response looks like:
then it wants a Basic authentication. Some (poorly) implemented servers/sites don't handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.
NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value
NTLM
, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.
您向其发送一个请求,大概会获得一个 HTTP 401 代码,然后查看
WWW-Authenticate
标头(根据 RFC 2616)响应必须
包含。相反,如果您收到 403 或其他一些奇怪的状态,或者缺少WWW-Authenticate
标头,您就会咒骂不遵循核心 HTTP RFC 的网站作者,并开始嗅探流量以尝试对他们这次所做的非标准混乱进行逆向工程;-)。You send it a request, presumably get an HTTP 401 code, and look at the
WWW-Authenticate
header that (per RFC 2616) the responseMUST
include. If instead you get a 403 or some other weird status, or a missingWWW-Authenticate
header, you curse at website authors that don't follow the core HTTP RFC, and start sniffing the traffic to try to reverse engineer what nonstandard mess they've done this time;-).如果是黑盒场景,我通常会连接Fiddler,并检查实际流量。
If it's a black box scenario, I usually connect with Fiddler, and inspect the actual traffic.