如何抑制浏览器的身份验证对话框? [英] How can I suppress the browser's authentication dialog?
问题描述
我的 Web 应用程序有一个登录页面,该页面通过 AJAX 调用提交身份验证凭据.如果用户输入正确的用户名和密码,则一切正常,但如果没有,则会发生以下情况:
My web application has a login page that submits authentication credentials via an AJAX call. If the user enters the correct username and password, everything is fine, but if not, the following happens:
- Web 服务器确定,尽管请求包含格式正确的 Authorization 标头,但标头中的凭据未成功通过身份验证.
- Web 服务器返回 401 状态代码,并包含一个或多个 WWW-Authenticate 标头,其中列出了支持的身份验证类型.
- 浏览器检测到我对 XMLHttpRequest 对象的调用的响应是 401,并且响应包含 WWW-Authenticate 标头.然后它会弹出一个身份验证对话框,再次询问用户名和密码.
在第 3 步之前这一切都很好.我不想弹出对话框,我想在我的 AJAX 回调函数中处理 401 响应.(例如,通过在登录页面上显示错误消息.)当然,我希望用户重新输入他们的用户名和密码,但我希望他们看到我友好、令人放心的登录表单,而不是浏览器的丑陋、默认身份验证对话框.
This is all fine up until step 3. I don't want the dialog to pop up, I want want to handle the 401 response in my AJAX callback function. (For example, by displaying an error message on the login page.) I want the user to re-enter their username and password, of course, but I want them to see my friendly, reassuring login form, not the browser's ugly, default authentication dialog.
顺便说一句,我无法控制服务器,因此无法让它返回自定义状态代码(即 401 以外的其他代码).
Incidentally, I have no control over the server, so having it return a custom status code (i.e., something other than a 401) is not an option.
有什么办法可以取消身份验证对话框吗?特别是,我可以在 Firefox 2 或更高版本中取消需要身份验证"对话框吗?有没有办法在 IE 6 及更高版本中抑制连接到 [host] 对话框?
Is there any way I can suppress the authentication dialog? In particular, can I suppress the Authentication Required dialog in Firefox 2 or later? Is there any way to suppress the Connect to [host] dialog in IE 6 and later?
编辑
来自作者的其他信息(9 月 18 日):
我应该补充一点,浏览器弹出的身份验证对话框的真正问题在于它向用户提供的信息不足.
Edit
Additional information from the author (Sept. 18):
I should add that the real problem with the browser's authentication dialog popping up is that it give insufficient information to the user.
用户刚刚通过登录页面上的表单输入了用户名和密码,他相信他已经正确输入了它们,并且他点击了提交按钮或按了回车键.他的期望是他将被带到下一页,或者可能被告知他输入的信息不正确,应该再试一次.然而,他看到的是一个意想不到的对话框.
The user has just entered a username and password via the form on the login page, he believes he has typed them both correctly, and he has clicked the submit button or hit enter. His expectation is that he will be taken to the next page or perhaps told that he has entered his information incorrectly and should try again. However, he is instead presented with an unexpected dialog box.
对话框不承认他只是确实输入了用户名和密码.它没有明确说明存在问题,他应该再试一次.相反,该对话框会向用户显示诸如站点说:'[realm]'"之类的神秘信息.其中 [realm] 是一个只有程序员才会喜欢的简短域名.
The dialog makes no acknowledgment of the fact he just did enter a username and password. It does not clearly state that there was a problem and that he should try again. Instead, the dialog box presents the user with cryptic information like "The site says: '[realm]'." Where [realm] is a short realm name that only a programmer could love.
Web 浏览器设计者注意:如果对话框本身对用户更友好,那么没有人会问如何抑制身份验证对话框.我使用登录表单的全部原因是我们的产品管理团队认为浏览器的身份验证对话框很糟糕.
Web broswer designers take note: no one would ask how to suppress the authentication dialog if the dialog itself were simply more user-friendly. The entire reason that I am doing a login form is that our product management team rightly considers the browsers' authentication dialogs to be awful.
推荐答案
我认为这是不可能的——如果你使用浏览器的 HTTP 客户端实现,它总是会弹出那个对话框.我想到了两个黑客:
I don't think this is possible -- if you use the browser's HTTP client implementation, it will always pop up that dialog. Two hacks come to mind:
也许 Flash 的处理方式不同(我还没有尝试过),所以让 Flash 电影提出请求可能会有所帮助.
Maybe Flash handles this differently (I haven't tried yet), so having a flash movie make the request might help.
您可以为您在自己的服务器上访问的服务设置一个代理",并让它稍微修改身份验证标头,以便浏览器无法识别它们.
You can set up a 'proxie' for the service that you're accessing on your own server, and have it modify the authentication headers a bit, so that the browser doesn't recognise them.
这篇关于如何抑制浏览器的身份验证对话框?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
