是否可以在XMLHTTPRequest中使用Digest-Authentication？ [英] Is it possible to use Digest-Authentication with a XMLHTTPRequest?

问题描述

我有一个简单的问题：是否可以在XMLHTTPRequest中使用Digest-Authentication？

如果答案是否定的，那么技术原因是什么？或者如果有可能 - 我该怎么做？

非常感谢...到目前为止谷歌还没有很好的答案： - /

编辑：

感谢您的回答。在收到一个nonce后，修改标题以匹配摘要认证方案似乎是一个解决方案。

但我真正想要的是我可以更改我当前的调用：xmlhttp.open（GET，url，false，用户名，密码）;
到某事。就像那个xmlhttp.open（GET，url，false，用户名，密码，DIGEST）;

这也是我最初问题的一部分：为什么打开-method不提供制作摘要请求的选项？

也许有js-lib可以推荐让我这样做 - 正如你想象的那样我没有我真的想把一个简单的xmlhttp.open更改为多个请求并首先得到一个nonce。

解决方案

你可以做到没有问题。只需按照您想要的规格部分进行操作;）
http://tools.ietf.org/ html / rfc2617
并且您将缺少开始编写身份验证库
http://pajhome.org.uk/crypt/md5/
在客户端。

交换前的用户名和密码

嘿我想验证---->服务器

好​​的，这里是一个nonce / salt ----> client

这里是我的用户名密码时间戳和盐的md5哈希值----->服务器

我刚刚烦你的密码和用户名与您的方式相同，并且它们是相同的----->客户端
这些是它的基础知识。

我遗漏了你需要在hashsum中包含所请求资源的URI !!!!

当然你做的对于向服务器发送资源的每一个请求都是如此，某个拦截哈希的人只能查看您请求的内容，并且无法请求其他资源。此方法不保护数据只是访问它。 / p>

I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?

If the answer is no, what's the technical reason? Or if it is possible - how can I do that?

Thanks a lot … google has no good answer so far :-/

EDIT:

Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.

But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");

That’s also part of my initial question: Why does the open-method not offer the option to make a digest-request?

Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.

解决方案

You can do it no problem. Just follow the parts of the specs you feel like ;)
http://tools.ietf.org/html/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.

pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.

I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.

这篇关于是否可以在XMLHTTPRequest中使用Digest-Authentication？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！