HTTP基本身份验证-预期的Web浏览器体验是什么? [英] HTTP Basic Authentication - what's the expected web browser experience?
问题描述
当服务器允许通过基本HTTP身份验证进行访问时,在Web浏览器中的体验是什么?
When a server allows access via Basic HTTP Authentication, what is the experience expected to be in a web browser?
暂时忽略网络浏览器,以下是使用curl
创建基本身份验证请求的方法:
Ignoring the web browser for a moment, here's how to create a Basic Auth request with curl
:
curl -u myusername:mypassword http://somesite.com
但是在Web浏览器中呢?我在某些网站上看到的是访问URL,然后服务器返回响应代码401.然后浏览器显示用户名/密码提示.
But what about in a Web Browser? What I've seen on some websites, is I visit the URL, and then the server returns response code 401. The browser then displays a username/password prompt.
但是,在somesite.com上,我根本没有得到任何授权提示,只有一个页面显示我没有得到授权.某个网站没有正确实施Basic Auth工作流程,还是我需要做其他事情?
However, on somesite.com, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?
推荐答案
为帮助大家避免混乱,我将分两部分重新阐述这个问题.
To help everyone avoid confusion, I will reformulate the question in two parts.
首先:如何使用BASIC身份验证通过浏览器发出经过身份验证的HTTP请求?" .
在浏览器中,您可以通过等待提示来首先进行http基本认证,或者如果遵循以下格式,则可以编辑URL:http://myusername:mypassword@somesite.com
In the browser you can do a http basic auth first by waiting the prompt to come, or by editing the URL if you follow this format: http://myusername:mypassword@somesite.com
NB:如果您安装了命令行和curl,则问题中提到的curl命令就可以了. ;)
NB: the curl command mentionned in the question is perfectly fine, if you have a command-line and curl installed. ;)
参考:
- https://en.wikipedia.org/wiki/Basic_access_authentication#URL_encoding
- https://en.wikipedia.org/wiki/Uniform_Resource_Locator#Syntax
- https://tools.ietf.org/html/rfc3986#page-18
- https://en.wikipedia.org/wiki/Basic_access_authentication#URL_encoding
- https://en.wikipedia.org/wiki/Uniform_Resource_Locator#Syntax
- https://tools.ietf.org/html/rfc3986#page-18
还要根据CURL手册页 https://curl.haxx.se/docs/manual .html
Also according to the CURL manual page https://curl.haxx.se/docs/manual.html
HTTP
Curl also supports user and password in HTTP URLs, thus you can pick a file
like:
curl http://name:passwd@machine.domain/full/path/to/file
or specify user and password separately like in
curl -u name:passwd http://machine.domain/full/path/to/file
HTTP offers many different methods of authentication and curl supports
several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
method to use, curl defaults to Basic. You can also ask curl to pick the
most secure ones out of the ones that the server accepts for the given URL,
by using --anyauth.
NOTE! According to the URL specification, HTTP URLs can not contain a user
and password, so that style will not work when using curl via a proxy, even
though curl allows it at other times. When using a proxy, you _must_ use
the -u style for user and password.
第二个真正的问题是",但是,在somesite.com上,我根本没有得到任何授权提示,只有一个页面显示我没有被授权.某网站没有实现Basic Auth工作流程正确,还是我需要做些其他事情?"
curl文档说-u
选项支持许多身份验证方法,默认为Basic.
The curl documentation says the -u
option supports many method of authentication, Basic being the default.
这篇关于HTTP基本身份验证-预期的Web浏览器体验是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!