默认情况下，发送基本身份验证，而不是等待HTTP 401 [英] Send BASIC auth by default, rather than wait for HTTP 401

问题描述

我有一个要求基本认证头是在请求present Web服务，或服务将返回一个HTTP 401（授权）。这工作 - 当挑战回来，浏览器（在这种情况下，浏览器）弹出并询问的凭据。然后，他们保存以供将来的请求。

I have a web service that requires a BASIC authentication header to be present in the request, or the service will return an HTTP 401 (unauthorized). This works - when the challenge comes back, the browser (in this case, Chrome) pops up and asks for the credentials. They are then saved for future requests.

我的问题是，现在两个请求被上每个后续请求给服务作出 - 一个没有身份验证（其接收401），然后该浏览器立即与在标头中的正确身份验证应答

My problem is that now two requests are being made on each subsequent request to the service - one without auth (which receives a 401), and then the browser immediately replies with the correct auth in the header.

有没有办法强制浏览器（通过特殊的头部可能），而无需显式地由Web服务每次要求提供凭据？

Is there a way to force the browser (maybe via a special header) to supply credentials without having to be explicitly asked by the web service every time?

推荐答案

我不相信这是可能给浏览器强制preempt的401当您的服务请求时的服务，HTTP响应401并增加了WWW身份验证的基本头，以及，我猜，一种境界（您可以定义）。

I do not believe it is possible to force the browser to preempt the 401. When a request for your service is made the service responds with HTTP 401 and adds the WWW-Authenticate Basic header as well as, I'm guessing, a realm (which you can define).

这将是值得考虑一下的RFC为其进入细节在基本身份验证标准应如何实现基本身份验证。
http://www.ietf.org/rfc/rfc2617.txt

It would be worth taking a look at the RFC for basic authentication which goes into details in how the basic authentication standards should be implement. http://www.ietf.org/rfc/rfc2617.txt

您也可以考虑实现自己的HTTP模块，它应该给你在你的应用程序更多的灵活性，以及​​如何处理基本身份验证。这允许您注册事件处理程序的验证和结束请求活动，并与更多的清晰度您的服务将如何处理基本身份验证决定。针对此底漆可在asp.net网站上。
http://www.asp.net/web-api/overview/security /基本认证

You can also look into implementing your own HTTP Module which should give you more flexibility in your application and how you handle basic authentication. This allows you to register event handlers for Authenticate and End Request events and dictate with a bit more clarity how your service will deal with basic auth. A primer for this is available on the asp.net website. http://www.asp.net/web-api/overview/security/basic-authentication

如果你的服务根据您的应用程序的鉴定使用不同的身份验证（例如该服务将只使用时，应用程序配置为窗体身份验证基本身份验证），比使用HTTP模块将允许你有条件地使用基本身份验证。我通常注册我的处理程序在这种情况下是这样的：

If your services utilize different authentication based on your applications authentication (e.g. the service will only use basic authentication when the application is configured for forms authentication) than using an HTTP Module will allow you to conditionally use basic authentication. I typically register my handlers in this scenario like this:

AuthenticationSection config = (AuthenticationSection)WebConfigurationManager.GetSection("system.web/authentication");

if(config.Mode == AuthenticationMode.Forms)
{
    module.Authenticate += OnEnter;
    context.EndRequest += OnLeave;
}

这篇关于默认情况下，发送基本身份验证，而不是等待HTTP 401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！