由于iOS 10中的nonce-count错误,HTTP摘要式身份验证失败 [英] HTTP digest authentication fail due to wrong nonce-count in iOS 10
问题描述
HTTP摘要身份验证在我们的应用程序中不再适用于iOS 10,因为授权中的错误nonce计数:NSURLSession生成的摘要头。
HTTP digest authentication no longer works in our app since iOS 10 due to wrong nonce-count in Authorization: Digest header generated by NSURLSession.
相同的代码适用于iOS 9,但无法在iOS 10中进行身份验证
The same code works in iOS 9, but fail to auth in iOS 10
- 使用NSURLRequest创建POST请求
- Fire它与NSURLSession
- 处理
urlSession中的NSURLAuthenticationMethodHTTPDigest(_:didReceive:completionHandler:)委托 - 服务器以预期的方式响应401和qop =auth字符串
-
应用程序再次请求Authorization:Digest标头集。
- Create a POST request with NSURLRequest
- Fire it with NSURLSession
- Handle NSURLAuthenticationMethodHTTPDigest in
urlSession(_:didReceive:completionHandler:)delegate - The server responds with a 401 and qop="auth" string as expected
The app requests again with the Authorization: Digest header set.
根据 RFC2617 :
nonce-count
nonce-count
如果发送了qop指令,必须指定(见上文),如果服务器没有在WWW-Authenticate头字段的
中发送qop指令,则不能指定
。 nc-value是客户端在此请求中使用nonce值发送的请求数(包括当前请求)
的十六进制
计数。对于
示例,在响应给定nonce
值而发送的第一个请求中,客户端发送nc = 00000001。这个
指令的目的是允许服务器通过
检测请求重放来维护它自己的这个计数副本 - 如果相同的nc值是
看到两次,那么请求是一个重播。请参阅下面的
描述请求摘要值的构造。
This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. For example, in the first request sent in response to a given nonce value, the client sends "nc=00000001". The purpose of this directive is to allow the server to detect request replays by maintaining its own copy of this count - if the same nc-value is seen twice, then the request is a replay. See the description below of the construction of the request-digest value.
但是,nonce-count从 nc = 00000002即使是iOS 10中的第一个请求,也会导致服务器拒绝它。
However, the nonce-count start at "nc=00000002" even for the first request in iOS 10, which cause the server to reject it.
预计服务器响应200 OK
Expect server response 200 OK
iOS 9&之前:
POST /Tunnel/Message.aspx HTTP/1.1
Host: 172.18.70.12:3454
Accept: */*
Content-Type: application/xml
User-Agent: iViewer/1 CFNetwork/758.5.3 Darwin/15.6.0
Connection: keep-alive
Cookie:
AuthType: digest
Accept-Language: zh-tw
Content-Length: 69
Accept-Encoding: gzip, deflate
Authorization: Digest username="admin", realm="ND8422P",
nonce="cc17a78cdd96d54e012eadefe7d13d82", uri="/Tunnel/Message.aspx",
response="51587db4bcf6eeece68c4ec21108f170",
cnonce="47b8df8a980f280038834b7817250e90", nc=00000001, qop="auth"
<?xml version="1.0" encoding="UTF-8"?><GetServerInfo></GetServerInfo>
HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
Content-Length: 1127
iOS 10:
POST /Tunnel/Message.aspx HTTP/1.1
Host: 172.18.70.12:3454
Accept: */*
Content-Type: application/xml
User-Agent: iViewer/1 CFNetwork/808.0.2 Darwin/16.0.0
Connection: keep-alive
Cookie:
AuthType: digest
Accept-Language: en-us
Content-Length: 69
Accept-Encoding: gzip, deflate
Authorization: Digest username="admin", realm="ND8422P",
nonce="4b8bf8549da0c3010f031472e95f387d", uri="/Tunnel/Message.aspx",
response="91cf44bc0aadf2f743164d03b5c708c7",
cnonce="b5f9e6c69e19c1b396298d68f2aefe7e", nc=00000002, qop="auth"
<?xml version="1.0" encoding="UTF-8"?><GetServerInfo></GetServerInfo>
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest qop="auth", realm="ND8422P", nonce="8e8b0538bb08876ac4d8203f1d14e9ac"
CSeq: 0
有人面临同样的问题吗?
Is anyone facing the same issue?
唯一相关的我能找到的帖子是:
Apple Developer论坛:摘要式身份验证问题 ,但没有进一步的信息。
The only related post I could find is: Apple Developer Forums : Problem of the digest authentication, but no further information.
如何修复它或在客户端应用程序方面获得解决方法而不要求服务器端忽略错误的nonce-count?
How do you fix it or get workaround on client app side without asking server side to ignore the wrong nonce-count?
谢谢。
推荐答案
Apple Developer Technical Support确认这是iOS 10的错误。
希望尽快修复。
Apple Developer Technical Support confirm that is a bug of iOS 10. Hope it will be fixed soon.
感谢您联系Apple开发者技术支持(DTS)。
我们认为这个问题是一个错误。请使用Bug Reporter工具 https://developer.apple.com/bug-reporting提交错误报告/ 。
更新:
Apple在iOS 10.2 Beta 3中修复此问题
Update: Apple fixed this issue in iOS 10.2 Beta 3
这篇关于由于iOS 10中的nonce-count错误,HTTP摘要式身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
