使用jQuery可以进行摘要式身份验证吗? [英] Is Digest authentication possible with jQuery?
问题描述
我正在尝试发送需要HTTP Digest身份验证的请求.
I'm trying to send a request that requires HTTP Digest authentication.
在jQuery中有可能实现摘要吗?
Is Digest possible in jQuery?
如果是这样,这是否接近正确的方法?目前无法使用.
If so, is this close to the correct way to do it? It's not currently working.
<script type="text/javascript">
$.ajax({
url: url,
type: 'GET',
dataType: 'json',
success: function() { alert('hello!'); },
error: function() { alert('error')},
beforeSend: setHeader
});
function setHeader(xhr){
xhr.setRequestHeader("Authorization", "Digest username:password");
xhr.setRequestHeader("Accept", "application/json");
}
</script>
推荐答案
否,摘要访问身份验证方案稍微复杂一点,因为它实现了挑战-响应身份验证机制需要执行以下步骤:
No, the Digest Access Authentication Scheme is a little more complex as it implements a challenge-response authentication mechanism that requires the following steps:
- 客户端发送对受访问保护的资源的请求,但未发送可接受的 Authorization 标头字段
- 服务器使用"401未经授权"状态代码和 WWW-Authenticate 标头字段( digest-challenge )进行响应
- 客户端发送另一个对相同资源的请求,但其中包含一个 Authorization 标头字段以响应质询( digest-response )
- 如果授权不成功,请执行步骤2;否则,请执行步骤2.否则服务器将继续正常运行.
- client sends a request for an access-protected resource, but an acceptable Authorization header field is not sent
- server responds with a "401 Unauthorized" status code and a WWW-Authenticate header field (the digest-challenge)
- client sends another request for the same resource but containing a Authorization header field in response to the challenge (the digest-response)
- if the authorization is not successful, go to step 2; otherwise the server proceeds as normal.
这意味着至少有两个请求/响应对.
This means there are at least two request/response pairs.
每个 WWW-Authenticate 响应标头字段具有以下语法:
Each WWW-Authenticate response header field has the syntax:
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
So you need to parse the digest-challenge to get the parameters to be able to generate a digest-reponse for the Authorization request header field with the following syntax:
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
该部分还描述了 digest-response 参数的计算方式.特别是,您可能需要MD5实施,因为这是此身份验证方案最常用的算法.
That section does also describe how the digest-response parameters are calculated. In particular, you will probably need an MD5 implementation as that’s the most commonly used algorithm for this authentication scheme.
这是一个简单的标记化,您可以从以下开始:
Here is a simple tokenization that you can start with:
var ws = '(?:(?:\\r\\n)?[ \\t])+',
token = '(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2E\\x30-\\x39\\x3F\\x41-\\x5A\\x5E-\\x7A\\x7C\\x7E]+)',
quotedString = '"(?:[\\x00-\\x0B\\x0D-\\x21\\x23-\\x5B\\\\x5D-\\x7F]|'+ws+'|\\\\[\\x00-\\x7F])*"',
tokenizer = RegExp(token+'(?:=(?:'+quotedString+'|'+token+'))?', 'g');
var tokens = xhr.getResponseHeader("WWW-Authentication").match(tokenizer);
这将打开 WWW-Authenticate 标头字段,例如:
This will turn a WWW-Authenticate header field like:
WWW-Authenticate: Digest
realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
进入:
['Digest', 'realm="testrealm@host.com"', 'qop="auth,auth-int"', 'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093"', 'opaque="5ccc069c403ebaf9f0171e9517f40e41"']
然后,您需要解析参数(检查存在性和有效性)并提取值.请注意, quoted-string 值可以折叠,因此您需要展开它们(另请参见RFC中unquote函数unq的使用):
Then you need to parse the parameters (check existence and validity) and extract the values. Note that quoted-string values can be folded, so you need to unfold them (see also the use of the unquote function unq in the RFC):
function unq(quotedString) {
return quotedString.substr(1, quotedString.length-2).replace(/(?:(?:\r\n)?[ \t])+/g, " ");
}
有了这个,您应该能够自己实现.
With this you should be able to implement that on your own.
这篇关于使用jQuery可以进行摘要式身份验证吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
