HTTP摘要式身份验证 [英] HTTP Digest Authentication

查看：273 发布时间：2016/5/20 0:11:48 security apache http authentication digest

本文介绍了HTTP摘要式身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我要使用HTTP摘要式身份验证与存储的用户名和加密的密码中央数据库。这些数据应当由不同的服务器如Apache的httpd或Tomcat例如可以使用。该客户端将是人类与浏览器和其他应用程序REST方式通信。

I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way.

据我了解，我可以不使用表散列密码。这仅仅是可能存储 HA1 = MD5（用户名：境界：密码）在需要明文密码 - 是否正确？

As far as I understand I could not use a table with hashed passwords. It is only possibly to store HA1 = MD5(username:realm:password) where a clear text password is required - correct?

在另一方面，它似乎是可以使用哈希密码与Apache httpd的：

On the other hand it seems to be possible to use hashed passwords with Apache httpd:

的Apache httpd的文档说：

第一的第一列的值
  通过查询语句返回的行
  应包含一个串
  加密口令。

The first column value of the first row returned by the query statement should be a string containing the encrypted password.

这是否与摘要认证工作？有没有参数指定散列算法。如何阿帕奇的httpd决定使用哪种算法？

Does it work with digest authentication? There is no parameter to specify the hash algorithm. How does Apache httpd decide which algorithm to use?

RFC 2617 说：

4.13存储密码

摘要式身份验证要求
  身份验证代理（通常
  服务器）存储导出一些数据
  从用户名和密码
  在密码文件有关联
  给定的领域。通常情况下，这可能
  包含由用户名对
  和H（A1），其中H（A1）是
  用户名，境界消化的价值，
  和密码作为上述

Digest authentication requires that the authenticating agent (usually the server) store some data derived from the user's name and password in a "password file" associated with a given realm. Normally this might contain pairs consisting of username and H(A1), where H(A1) is the digested value of the username, realm, and password as described above.

这听起来像密码必须是清晰的文本。

It sounds like the password has to be clear text.

在Servlet 3.0规范说：

The Servlet 3.0 spec says:

虽然密码不会在发送
  电线，HTTP摘要式身份验证
  需要明文密码
  现金等价物是avaialble到
  认证容器，以便它
  可以验证接收到的验证器
  通过计算预期的摘要。

Although passwords are not sent on the wire, HTTP Digest authentication requires that clear text password equivalents be avaialble to the authenticating container so that it can validate received authenticators by calculating the expected digest.

什么是明文密码等价物在这里？密码哈希？

What is the "clear text password equivalent" here? The password hash?

Tomcat文档说：

如果使用密码的消化与
  摘要式身份验证，明文
  用于生成摘要是
  不同。在上面的例子
  {明文密码}必须更换
  同
  {用户名} {}境界：{明文密码}。
  例如，在开发
  这个环境可能采取的形式
  为testUser：本地主机：8080：testPassword

If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword.

下面是需要明文密码。

Here is a clear text password required.

所以，可以HTTP摘要式身份验证与已加密的密码，或使用有密码是明文？

So, can HTTP Digest authentication be used with already encrypted passwords or have the passwords to be clear text?

必须的，如果他从一个不同的子域请求页面时用户重新输入其凭据？

Must the user re-enter his credentials if he requests a page from a different subdomain?

是否浏览器中删除缓存的密码时，标签被关闭或只有当整个被关闭？也许这不同于浏览器到浏览器 - 我很想在浏览器中删除，并把它

Does the browser delete the cached password when the tab is closed or only when the whole is closed? Maybe this differs from browser to browser - I'd be interested in which browser delete it and which keep it.

整体的问题是，是否摘要身份验证是适合我用已加密的口令中央用户数据库场景。或者我应该更好的服务上使用基于会话的单点登录？

The overall question is, whether digest authentication is suitable for my scenario with a central user db with already encrypted passwords. Or should I better use session based single sign on service?

HTTP摘要式身份验证 [英] HTTP Digest Authentication

问题描述

推荐答案

相关文章

服务器开发最新文章

热门教程

热门工具

登录关闭

HTTP摘要式身份验证 [英] HTTP Digest Authentication

问题描述

推荐答案

相关文章

服务器开发最新文章

热门教程

热门工具

登录 关闭

登录关闭