确定 web http 身份验证方法
如何确定 REST Web 服务是否使用 Basic、Kerberos、NTLM 还是许多其他身份验证方法之一?
How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
当您发送未经身份验证的请求时,服务必须以“HTTP/1.1 401 Unauthorized”进行响应,并且响应包含一个
WWW-Authenticate标头,指定所需的身份验证方案(Basic) code>、Digest)、安全领域和任何其他特定值(例如 Digets 的随机数)。因此,如果服务器响应:它需要摘要式身份验证。如果响应看起来像:
那么它需要基本身份验证。一些(糟糕的)实施的服务器/站点不能正确处理基本信息,而是直接响应 403 Forbidden,而不是首先进行挑战。
NTLM 与服务器响应 401 和值为
NTLM的 WWW-Authenticate 标头类似,但没有官方的公共规范,因为它是 Microsoft 专有的。有各种反向工程化描述。不幸的是,REST 没有附带 WSDL 风格的服务描述来发现先验使用的身份验证方案。
When you send an unauthenticated request the service has to respond with a "HTTP/1.1 401 Unauthorized" and the response contains a
WWW-Authenticateheader that specifies what authentication scheme is expected (Basic,Digest), the security realm and any other specific value (like Digets's nonce). So if the server responds with:it wants a Digest authentication. If the response looks like:
then it wants a Basic authentication. Some (poorly) implemented servers/sites don't handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.
NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value
NTLM, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.
您向其发送一个请求,大概会获得一个 HTTP 401 代码,然后查看
WWW-Authenticate标头(根据 RFC 2616)响应必须包含。相反,如果您收到 403 或其他一些奇怪的状态,或者缺少WWW-Authenticate标头,您就会咒骂不遵循核心 HTTP RFC 的网站作者,并开始嗅探流量以尝试对他们这次所做的非标准混乱进行逆向工程;-)。You send it a request, presumably get an HTTP 401 code, and look at the
WWW-Authenticateheader that (per RFC 2616) the responseMUSTinclude. If instead you get a 403 or some other weird status, or a missingWWW-Authenticateheader, you curse at website authors that don't follow the core HTTP RFC, and start sniffing the traffic to try to reverse engineer what nonstandard mess they've done this time;-).如果是黑盒场景,我通常会连接Fiddler,并检查实际流量。
If it's a black box scenario, I usually connect with Fiddler, and inspect the actual traffic.