自定义摘要身份验证

发布于 2024-10-23 14:22:47 字数 773 浏览 5 评论 0原文

  • 我制作了一个用于摘要身份验证的 Http 模块。在服务器上,对于页面的每个请求,该模块都会检查是否存在“authenticate”标头。如果此标头不存在,用户将收到 401 消息。
  • 在客户端,我使用 jQuery 插件进行摘要式身份验证。

据了解,我具有以下功能:

  1. 用户在两个输入字段中输入用户名和密码(不是在浏览器的 Http 身份验证提示中)
  2. 使用 jQuery,我对服务器上的某个受保护页面进行 ajax 调用。此 ajax 调用基于 Digest Http 协议。这意味着我要添加包含用户名、随机数、客户端随机数、MD5 哈希密码等的身份验证标头。
  3. 然后服务器响应 200 消息:)

如果用户转到另一个页面,它将收到“401 访问被拒绝”,因为没有验证该请求中的标头。这就是问题所在。

  • 如果我使用标准摘要协议,那么浏览器会自动在每个请求中添加授权标头,并且我不会遇到此问题。但我使用这种方式是因为我不知道用户在浏览器的 Http 身份验证对话框中填写他的凭据。我们想要有我们的自定义对话框。在 jQuery DigestJ 插件中,标头称为“authenticate”而不是“authorization”,协议称为 DigestJ 而不是 Digest。这样,当服务器响应 401 消息时,我就不会收到用于输入凭据的浏览器 Http 对话框。我们不能使用表单身份验证。
  • 我可以使用 jQuery 会话插件在客户端存储用户凭据,但如何修改每个请求的 Http 标头?我需要添加“身份验证”标头并插入会话中的凭据。
  • I've made a Http module for digest authentication. On the server, on every request for a page this module check for existing of 'authenticate' header. If this header doesn't exist the user will get 401 message.
  • On the client side, I'm using the jQuery plugin for Digest authentication.

For know I have the flowing functionality:

  1. The user enter username and password in two input fields (not in the browser Http Authentication prompt)
  2. With jQuery I'm making ajax call to some protected page on the server. This ajax call is based on the Digest Http protocol. That means I'm adding authenticate header with username, noncecount, clientnonce, MD5 hashed password and etc.
  3. Then the server response with 200 message :)

If the user go to another page it will get "401 access denied" because there isn't authenticate header in that request. And that is the problem.

  • If I go with the standard digest protocol, then the browser automatically add authorization header in every request and I don't have this problem. But I'm using on this way because I don't what the user to fill his credentials in the browser Http Authentication dialog. We want to have our custom dialog. In the jQuery DigestJ plugin the header is called 'authenticate' instead of 'authorization' and the protocol is called DigestJ instead of Digest. That way I don't get the browsers Http Dialog for entering credentials when the server response with 401 message. We can't use form authentication.
  • I can store user credentials on the client side with jQuery session plugin, but how to modify the Http headers on every request? I need to add 'authenticate' header and to insert the credentials from the session.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

回眸一遍 2024-10-30 14:22:47

我使用基本的 HTTP 身份验证来使用 joomla 组件中的 REST Web 服务,并且我的用户无需输入任何内容(只需登录 joomla 一次)。我只是获取已经登录的用户,然后使用 CURL 将其发送到我的网络服务。

    $ch = curl_init();
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
//$username and $pass are the vars that will be used for authentication you can get them from your session or a cookie or in my case i got them from joomla JFactory::getUser()->username and JFactory::getUser()->password
        curl_setopt($ch, CURLOPT_USERPWD, JFactory::getUser()->username.':'.JFactory::getUser()->password);
    //here comes the important thing
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response=curl_exec($ch);

另一方面,您只需检查 $_SERVER['PHP_AUTH_USER']$_SERVER[' PHP_AUTH_PW'] 针对您的数据库,您就完成了

if (!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']==''||!isset($_SERVER['PHP_AUTH_PW'])||$_SERVER['PHP_AUTH_PW']=='') {
    header('WWW-Authenticate: Basic realm="Something"');
    header('HTTP/1.0 401 Unauthorized');
   echo 'You must be a valid user to access this contents';
   exit;
} else {
       // go to your database check they are valid and return whatever you want to return
}

I'm using basic HTTP authentication to consume REST web services from a joomla component and my users don't have to type in anything (the only have to log in on joomla once). I just grab the user already logged in and then i send it to my web service using CURL

    $ch = curl_init();
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
//$username and $pass are the vars that will be used for authentication you can get them from your session or a cookie or in my case i got them from joomla JFactory::getUser()->username and JFactory::getUser()->password
        curl_setopt($ch, CURLOPT_USERPWD, JFactory::getUser()->username.':'.JFactory::getUser()->password);
    //here comes the important thing
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response=curl_exec($ch);

On the other side you just have to check $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] against your database and you're done

if (!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']==''||!isset($_SERVER['PHP_AUTH_PW'])||$_SERVER['PHP_AUTH_PW']=='') {
    header('WWW-Authenticate: Basic realm="Something"');
    header('HTTP/1.0 401 Unauthorized');
   echo 'You must be a valid user to access this contents';
   exit;
} else {
       // go to your database check they are valid and return whatever you want to return
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文