HTTP 身份验证 - WWW-Authenticate 标头 - 多个领域
有人有在 HTTP 身份验证中支持多个领域的经验吗?
微软网站指出:
每个身份验证响应标头 包含可用的身份验证 方案和境界。如果有多个 支持身份验证方案, 服务器返回多个 验证响应标头。这 领域值区分大小写并且 定义了一个保护空间 代理或服务器。例如, 标头“WWW-身份验证:基本 Realm="example"" 就是一个例子 服务器返回的标头 需要身份验证。
这表明可以使用不同的身份验证方法来保护网站的不同区域。我们困惑的是如何确定服务器对客户端请求的响应中应该声明哪个领域。
有人有关于多个领域如何工作的示例吗?
Does anyone have any experience of supporting multiple realms in HTTP Authentication?
The Microsoft website states:
Each authenticate response header
contains an available authentication
scheme and a realm. If multiple
authentication schemes are supported,
the server returns multiple
authenticate response headers. The
realm value is case-sensitive and
defines a protection space on the
proxy or server. For example, the
header "WWW-Authenticate: Basic
Realm="example"" would be an example
of a header returned when server
authentication is required.
This suggests that different areas of a website can be secured using different authentication methods. What we are confused about is how to determine what realm should be stated in the server response to a client request.
Does anyone have any examples of how multiple realms work?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我有一个在使用共享点站点时使用多个身份验证标头的好例子。
首次连接时,Sharepoint 提供协商和 NTLM。
Firefox 选择 NTLM,但 Chrome 选择 Negotiate。
这也是 Chrome 始终会随其他请求一起发送授权标头的结果,而 Firefox 由于 NTLM 挑战响应协议而仅在开始时发送。请参阅此处更多说明 http://www.innovation.ch/personal/ronald/ntlm.html
I have one good example using multiple authenticate headers when using a sharepoint site.
The Sharepoint offer both Negotiate and NTLM when connecting first.
Firefox chooses NTLM but Chrome chooses Negotiate.
It is also a consequence that Chrome will always send the Authorization header along with the other requests but Firefox only at the beginning because of the NTLM challange-response protocol. See here more explanation http://www.innovation.ch/personal/ronald/ntlm.html
HTTP 规范 允许多个
WWW - Authenticate 挑战出现在响应中,可以在同一个
WWW-Authenticate
标头中,也可以在同一响应中使用多个WWW-Authenticate
标头。存在与此相关的问题,如 RFC 2617 第 4.6 节。从理论上讲,客户端必须选择可用的最强身份验证机制,但是,定义哪一个最强的身份验证机制并不总是显而易见的。
我从未尝试过多个领域(以及相同的方案,例如基本),但我不知道有什么不允许它。多个领域和相同方案的主要问题是浏览器可能在用户界面方面感到困惑,特别是它向用户提出挑战的领域。
The HTTP specification allows for multiple
WWW-Authenticate
challenges to be present in a response, either within the sameWWW-Authenticate
header or using multipleWWW-Authenticate
headers within the same response.There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.
I've never tried with multiple realms (and the same scheme, for example Basic), but I'm not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.