为什么授权行更改为每个Firefox请求？ [英] Why does the Authorization line change for every firefox request?

问题描述

在使用Kerberos票据运行时，我注意到每个Firefox请求在HTTP标头中都有一个不同的授权行。我加载了一个简单的页面，然后点击重新加载按钮几次，它是不一样的。是什么导致了这种行为我会认为授权行在Kerberos凭证期间会保持不变。 （注意，在启动firefox之前，我通过kinit命令获得了证书）。

当身份验证方法是Basic时，firefox继续发送相同的base64字符串用户：密码每次。这是我期望的行为。

有什么想法？ 这是由于HTTP和Negotiate-Auth工作方式的各种限制造成的。

HTTP最初是作为无状态协议设计的，HTTP的身份验证系统采用这种模式。它旨在在每个请求中进行完整的身份验证交换;例如，使用Basic，它会在每个请求中附上您的完整凭证。通过Negotiate-Auth和SPNEGO，同样的事情也是如此：一个全新的GSS-API上下文被创建，并且每个请求都会执行一个新的认证。

是的，这个非常浪费。但是，（目前）没有任何标准化的方式来验证一次，建立一个会话，然后绑定所有后续请求到该会话（例如，IMAP，POP或ssh的方式）。有一些IETF在这方面的工作，但这是非常初步的。

门票缓存;它并不是每次都有很多工作。但服务器和客户端每次都会跳过整个GSS-API会话。

When running with Kerberos tickets, I have noticed that every firefox request has a different Authorization line in the HTTP header. I loaded a simple page, then hit the reload button several times and it was never the same. What causes this behavior? I would have thought that the Authorization line would stay constant for the duration of the Kerberos credentials. (Note that I got the credentials via the kinit command before firing up firefox.)

When the authentication method is Basic, then firefox continues to send the same base64 string of 'user:password' every time. This is the behavior I expected.

Any ideas?

解决方案

This is due to various limitations in both HTTP and in how Negotiate-Auth works.

HTTP was originally designed as a stateless protocol, and HTTP's authentication system assumes that model. It was designed to do a full authentication exchange in each request; for example, with Basic, it's enclosing your full credentials in each request. With Negotiate-Auth and SPNEGO, the same thing is true: a brand new GSS-API context is created and a fresh authentication is performed with each request.

Yes, this is very wasteful. But there (currently) isn't any standardized way to authenticate once, establish a session, and then bind all subsequent requests to that session (the way that, say, IMAP, POP, or ssh does). There is some IETF work in this direction, but it's very preliminary.

The ticket is cached; it's not doing that much work each time. But the server and the client go through the whole GSS-API session dance each time.

这篇关于为什么授权行更改为每个Firefox请求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！