强制浏览器发送一些HTTP请求头
我需要包括一些安全(基本身份验证)应用程序。
当我在浏览器中打开应用程序 URL 时,浏览器要求我输入您的凭据...
我所知道的是:
- 浏览器向服务器请求获取 一些 URL -- 应用程序的 URL
- 服务器检查请求头 对于
身份验证标头和 没找到- 服务器发送
401到 浏览器返回- 浏览器解释此响应 代码到消息对话框中 向我显示要求我输入 要发送回的用户名/密码
身份验证中的服务器 请求头
到目前为止...很好,我可以编写一些页面(在 JSP 中),将所需的 http 请求标头发送到调用该页面的请求。 因此,我将通过我的页面调用此应用程序。
这里的问题是,此应用程序(实际上是 GWT 应用程序)包含对来自托管此应用程序的服务器的一些 Javascript 和 CSS 文件的引用。我导入的应用程序页面如下所示:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
因此,我再次发现应用程序要求我提供 css 和 js 文件的身份验证凭据!
我正在考虑很多解决方案,但不知道每种解决方案的适用性 一种
- 解决方案是询问浏览器 (通过Javascript)发送请求 标头(
身份验证),当他 向服务器请求 js 和 css 文件
请给我您对此的意见...以及任何其他建议将非常受欢迎。
谢谢。
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
- The browser ask the server to get
some URL -- the url of the app- The server checks the request header
for theAuthentication headerand
didn't find it- The server sends
401to the
browser back- The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in theAuthentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
- One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我认为您的服务器配置方式遇到了一些奇怪的情况。身份验证发生在身份验证领域的上下文中。您的资产应该与您的页面位于同一身份验证领域,或者(更有可能)根本不需要身份验证。浏览器应该缓存给定领域的凭据,并且不会再次提示输入它们。
请参阅 http://en.wikipedia.org/wiki/Basic_access_authentication 上的协议示例
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
从你的故事来看,我知道你的问题在于身份验证方法本身。不是如何实现。为什么要这么费劲去处理请求头呢?
据我所知,您可以配置容器(即 Tomcat)以强制对某些 url 进行 http 身份验证。您的容器将确保已进行身份验证。无需自己设置 http 标头。
也许您可以更好地解释您想要实现的目标,而不是告诉实现细节?
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
为什么CSS和CSS js 文件保存在服务器的受保护区域中吗?您需要将文件放入服务器的公共区域。如果你没有公共区域,那么你需要准备它。如何做到这一点取决于服务器端软件架构&配置。
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.