而不让浏览器的AJAX验证弹出登录对话框 [英] Ajax authentication without letting browser pop up login dialog
问题描述
我设计方法 - 一个RESTful Web服务(JBoss的+ RestEasy的)。该UI程序员正在编写一个Ajax的Web应用程序,将使用它。 Web应用程序将与一切在JavaScript中做了一个HTML页面。为了安全,所有的流量经过SSL。
I am desiging a RESTful Web Service (JBoss + RESTeasy). The UI programmer is writing an Ajax web app that will use it. The web app will be one HTML page with everything done in JavaScript. For security, all traffic goes through SSL.
目前我使用基本身份验证。该UI程序员可以显示一个对话框,获得用户名和密码,并把授权:基本XXXXX的标题。不幸的是,如果密码错误,丑陋的浏览器登录对话框出现。也没有办法为用户注销。这是不能接受的。
Currently I'm using Basic authentication. The UI programmer can show a dialog to get a username and password and put "Authorization: Basic xxxxx" in the header. Unfortunately if the password is wrong, the ugly browser login dialog box comes up. Also there is no way for the user to log off. This is unacceptable.
有似乎没有办法拦截401响应于XMLHtt prequest中的任何一种,我们将使用的浏览器。
There appears to be no way to intercept a 401 response to an XMLHttpRequest in any of the browsers we will use.
基于表单的认证将不会为我们工作。我们一段时间没有操作(会话超时相当于)后,需要一个自动注销。我们不能让服务器突然返回一个登录页面,当客户希望JSON对象。
Form-based authentication won't work for us. We need an automatic logoff after some period of inactivity (the equivalent of a session timeout). We can't have the server suddenly return a login page when the client expects a JSON object.
的JBoss提供了四种验证策略:BASIC,FORM,CLIENT-CERT和摘要。我认为DIGEST有同样的问题,因为BASIC。没有四是我们想要的。
JBoss offers four authentication strategies: BASIC, FORM, CLIENT-CERT and DIGEST. I think DIGEST has the same problem as BASIC. None of the four is what we want.
这个Web应用程序将是唯一的客户端(目前),所以没有要求使用基本。是否有任何其他的认证策略,我可以安装?比如有WSSE的UsernameToken的实现可以使用吗? (如在O'Reilly的REST Web服务本书的第8章),服务器会发送WSSE,而不是基本,在WWW身份验证头和presumably浏览器会忽视它的权利,通过它传递
This web application will be the only client (for now) so there is no requirement to use BASIC. Is there any other authentication strategy I can install? For instance is there an implementation of WSSE UsernameToken I can use? (As described in Chapter 8 of the O'Reilly RESTful Web Services book.) The server would send "WSSE" instead of "Basic" in the WWW-Authenticate header and presumably the browser would ignore it and pass it right through.
我要配置安全它所属 - 在JBoss的配置文件,而不是在我的RESTful Web服务 - 所以我在寻找一个实现,我可以只需将其插入到JBoss
I want to configure security where it belongs -- in the JBoss configuration files, not in my RESTful Web Service -- so I'm looking for an implementation I can just plug into JBoss.
推荐答案
不会present密码对话框,如果它不承认的认证方案,在WWW身份验证标头中的浏览器。你最好的选择可能是继续使用基本身份验证的服务器上,而手动设置标题类似基本/ MyApp的401回应。
The browser won't present the password dialog if it doesn't recognize the authentication scheme in the WWW-Authenticate header. Your best bet may be to continue using basic auth on the server while setting the header manually to something like "Basic/MyApp" for 401 responses.
这篇关于而不让浏览器的AJAX验证弹出登录对话框的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
